The Win32_Process WMI class represents a process on an operating system.
Methods
Win32_Process has 7 methods:
| Method | Description |
|---|---|
| AttachDebugger | Launches the currently registered debugger for a process. |
| Create | Creates a new process. |
| GetAvailableVirtualSize | Retrieves the current size, in bytes, of the free virtual address space available to the process. Windows Server® 2012, Windows® 8, Windows® 7, Windows Server® 2008 and Windows® Vista: This method is not supported before Windows® 8.1 and Windows Server® 2012® R2. |
| GetOwner | Retrieves the user name and domain name under which the process is running. |
| GetOwnerSid | Retrieves the security identifier (SID) for the owner of a process. |
| SetPriority | Changes the execution priority of a process. |
| Terminate | Terminates a process and all of its threads. |
Learn more about Invoke-CimMethod and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.
Properties
Win32_Process returns 45 properties:
'Caption','CommandLine','CreationClassName','CreationDate','CSCreationClassName',
'CSName','Description','ExecutablePath','ExecutionState','Handle','HandleCount','InstallDate',
'KernelModeTime','MaximumWorkingSetSize','MinimumWorkingSetSize','Name','OSCreationClassName',
'OSName','OtherOperationCount','OtherTransferCount','PageFaults','PageFileUsage',
'ParentProcessId','PeakPageFileUsage','PeakVirtualSize','PeakWorkingSetSize','Priority',
'PrivatePageCount','ProcessId','QuotaNonPagedPoolUsage','QuotaPagedPoolUsage',
'QuotaPeakNonPagedPoolUsage','QuotaPeakPagedPoolUsage','ReadOperationCount','ReadTransferCount','SessionId',
'Status','TerminationDate','ThreadCount','UserModeTime','VirtualSize','WindowsVersion',
'WorkingSetSize','WriteOperationCount','WriteTransferCount'
Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:
Get-CimInstance -ClassName Win32_Process -Property *
Most WMI classes return one or more instances.
When
Get-CimInstancereturns no result, then apparently no instances of class Win32_Process exist. This is normal behavior.Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).
Caption
Short description of an objectâa one-line string.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, Caption
CommandLine
Command line used to start a specific process, if applicable.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, CommandLine
CreationClassName
Name of the class or subclass used in the creation of an instance. When used with other key properties of the class, this property allows all instances of the class and its subclasses to be uniquely identified.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, CreationClassName
CreationDate
Date the process begins executing.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, CreationDate
CSCreationClassName
Creation class name of the scoping computer system.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, CSCreationClassName
CSName
Name of the scoping computer system.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, CSName
Description
Description of an object.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, Description
ExecutablePath
Path to the executable file of the process.
Example: “C:\Windows\System\Explorer.Exe”
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, ExecutablePath
ExecutionState
Current operating condition of the process.
ExecutionState returns a numeric value. To translate it into a meaningful text, use any of the following approaches:
Use a PowerShell Hashtable
$ExecutionState_map = @{
0 = 'Unknown'
1 = 'Other'
2 = 'Ready'
3 = 'Running'
4 = 'Blocked'
5 = 'Suspended Blocked'
6 = 'Suspended Ready'
7 = 'Terminated'
8 = 'Stopped'
9 = 'Growing'
}
Use a switch statement
switch([int]$value)
{
0 {'Unknown'}
1 {'Other'}
2 {'Ready'}
3 {'Running'}
4 {'Blocked'}
5 {'Suspended Blocked'}
6 {'Suspended Ready'}
7 {'Terminated'}
8 {'Stopped'}
9 {'Growing'}
default {"$value"}
}
Use Enum structure
Enum EnumExecutionState
{
Unknown = 0
Other = 1
Ready = 2
Running = 3
Blocked = 4
Suspended_Blocked = 5
Suspended_Ready = 6
Terminated = 7
Stopped = 8
Growing = 9
}
Examples
Use $ExecutionState_map in a calculated property for Select-Object
<#
this example uses a hashtable to translate raw numeric values for
property "ExecutionState" to friendly text
Note: to use other properties than "ExecutionState", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "ExecutionState"
# to translate other properties, use their translation table instead
$ExecutionState_map = @{
0 = 'Unknown'
1 = 'Other'
2 = 'Ready'
3 = 'Running'
4 = 'Blocked'
5 = 'Suspended Blocked'
6 = 'Suspended Ready'
7 = 'Terminated'
8 = 'Stopped'
9 = 'Growing'
}
#endregion define hashtable
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "ExecutionState", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$ExecutionState = @{
Name = 'ExecutionState'
Expression = {
# property is an array, so process all values
$value = $_.ExecutionState
$ExecutionState_map[[int]$value]
}
}
#endregion define calculated property
# retrieve the instances, and output the properties "Caption" and "ExecutionState". The latter
# is defined by the hashtable in $ExecutionState:
Get-CimInstance -Class Win32_Process | Select-Object -Property Caption, $ExecutionState
# ...or dump content of property ExecutionState:
$friendlyValues = Get-CimInstance -Class Win32_Process |
Select-Object -Property $ExecutionState |
Select-Object -ExpandProperty ExecutionState
# output values
$friendlyValues
# output values as comma separated list
$friendlyValues -join ', '
# output values as bullet list
$friendlyValues | ForEach-Object { "- $_" }
Use $ExecutionState_map to directly translate raw values from an instance
<#
this example uses a hashtable to manually translate raw numeric values
for property "Win32_Process" to friendly text. This approach is ideal when
there is just one instance to work with.
Note: to use other properties than "Win32_Process", look up the appropriate
translation hashtable for the property you would like to use instead.
#>
#region define hashtable to translate raw values to friendly text
# Please note: this hashtable is specific for property "Win32_Process"
# to translate other properties, use their translation table instead
$ExecutionState_map = @{
0 = 'Unknown'
1 = 'Other'
2 = 'Ready'
3 = 'Running'
4 = 'Blocked'
5 = 'Suspended Blocked'
6 = 'Suspended Ready'
7 = 'Terminated'
8 = 'Stopped'
9 = 'Growing'
}
#endregion define hashtable
# get one instance:
$instance = Get-CimInstance -Class Win32_Process | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to illustrate
the number-to-text translation. To process all instances, replace
"Select-Object -First 1" with a "Foreach-Object" loop, and use
the iterator variable $_ instead of $instance
#>
# query the property
$rawValue = $instance.ExecutionState
# translate raw value to friendly text:
$friendlyName = $ExecutionState_map[[int]$rawValue]
# output value
$friendlyName
Use a switch statement inside a calculated property for Select-Object
<#
this example uses a switch clause to translate raw numeric
values for property "ExecutionState" to friendly text. The switch
clause is embedded into a calculated property so there is
no need to refer to external variables for translation.
Note: to use other properties than "ExecutionState", look up the appropriate
translation switch clause for the property you would like to use instead.
#>
#region define calculated property (to be used with Select-Object)
<#
a calculated property is defined by a hashtable with keys "Name" and "Expression"
"Name" defines the name of the property (in this example, it is "ExecutionState", but you can rename it to anything else)
"Expression" defines a scriptblock that calculates the content of this property
in this example, the scriptblock uses the hashtable defined earlier to translate each numeric
value to its friendly text counterpart:
#>
$ExecutionState = @{
Name = 'ExecutionState'
Expression = {
# property is an array, so process all values
$value = $_.ExecutionState
switch([int]$value)
{
0 {'Unknown'}
1 {'Other'}
2 {'Ready'}
3 {'Running'}
4 {'Blocked'}
5 {'Suspended Blocked'}
6 {'Suspended Ready'}
7 {'Terminated'}
8 {'Stopped'}
9 {'Growing'}
default {"$value"}
}
}
}
#endregion define calculated property
# retrieve all instances...
Get-CimInstance -ClassName Win32_Process |
# ...and output properties "Caption" and "ExecutionState". The latter is defined
# by the hashtable in $ExecutionState:
Select-Object -Property Caption, $ExecutionState
Use the Enum from above to auto-translate the code values
<#
this example translates raw values by means of type conversion
the friendly names are defined as enumeration using the
keyword "enum" (PowerShell 5 or better)
The raw value(s) are translated to friendly text by
simply converting them into the enum type.
Note: to use other properties than "Win32_Process", look up the appropriate
enum definition for the property you would like to use instead.
#>
#region define enum with value-to-text translation:
Enum EnumExecutionState
{
Unknown = 0
Other = 1
Ready = 2
Running = 3
Blocked = 4
Suspended_Blocked = 5
Suspended_Ready = 6
Terminated = 7
Stopped = 8
Growing = 9
}
#endregion define enum
# get one instance:
$instance = Get-CimInstance -Class Win32_Process | Select-Object -First 1
<#
IMPORTANT: this example processes only one instance to focus on
the number-to-text type conversion.
To process all instances, replace "Select-Object -First 1"
with a "Foreach-Object" loop, and use the iterator variable
$_ instead of $instance
#>
# query the property:
$rawValue = $instance.ExecutionState
#region using strict type conversion
<#
Note: strict type conversion fails if the raw value is
not defined by the enum. So if the list of allowable values
was extended and the enum does not match the value,
an exception is thrown
#>
# convert the property to the enum **ExecutionState**
[EnumExecutionState]$rawValue
# get a comma-separated string:
[EnumExecutionState]$rawValue -join ','
#endregion
#region using operator "-as"
<#
Note: the operator "-as" accepts values not defined
by the enum and returns $null instead of throwing
an exception
#>
$rawValue -as [EnumExecutionState]
#endregion
Enums must cover all possible values. If ExecutionState returns a value that is not defined in the enum, an exception occurs. The exception reports the value that was missing in the enum. To fix, add the missing value to the enum.
Handle
KEY PROPERTY STRING MAX 256 CHAR
Process identifier.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle
HandleCount
Total number of open handles owned by the process. HandleCount is the sum of the handles currently open by each thread in this process. A handle is used to examine or modify the system resources. Each handle has an entry in a table that is maintained internally. Entries contain the addresses of the resources and data to identify the resource type.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, HandleCount
InstallDate
Date an object is installed. The object may be installed without a value being written to this property.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, InstallDate
KernelModeTime
Time in kernel mode, in milliseconds. If this information is not available, use a value of 0 (zero).
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, KernelModeTime
MaximumWorkingSetSize
Maximum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident, and available for an application to use without triggering a page fault.
Example: 1413120
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, MaximumWorkingSetSize
MinimumWorkingSetSize
Minimum working set size of the process. The working set of a process is the set of memory pages visible to the process in physical RAM. These pages are resident and available for an application to use without triggering a page fault.
Example: 20480
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, MinimumWorkingSetSize
Name
Name of the executable file responsible for the process, equivalent to the Image Name property in Task Manager.
When inherited by a subclass, the property can be overridden to be a key property. The name is hard-coded into the application itself and is not affected by changing the file name. For example, even if you rename Calc.exe, the name Calc.exe will still appear in Task Manager and in any WMI scripts that retrieve the process name.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, Name
OSCreationClassName
Creation class name of the scoping operating system.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, OSCreationClassName
OSName
Name of the scoping operating system.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, OSName
OtherOperationCount
Number of I/O operations performed that are not read or write operations.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, OtherOperationCount
OtherTransferCount
Amount of data transferred during operations that are not read or write operations.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, OtherTransferCount
PageFaults
Number of page faults that a process generates.
Example: 10
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, PageFaults
PageFileUsage
Amount of page file space that a process is using currently. This value is consistent with the VMSize value in TaskMgr.exe.
Example: 102435
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, PageFileUsage
ParentProcessId
Unique identifier of the process that creates a process. Process identifier numbers are reused, so they only identify a process for the lifetime of that process. It is possible that the process identified by ParentProcessId is terminated, so ParentProcessId may not refer to a running process. It is also possible that ParentProcessId incorrectly refers to a process that reuses a process identifier. You can use the CreationDate property to determine whether the specified parent was created after the process represented by this Win32_Process instance was created.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, ParentProcessId
PeakPageFileUsage
Maximum amount of page file space used during the life of a process.
Example: 102367
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, PeakPageFileUsage
PeakVirtualSize
Maximum virtual address space a process uses at any one time. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. However, virtual space is finite, and by using too much the process might not be able to load libraries.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, PeakVirtualSize
PeakWorkingSetSize
Peak working set size of a process.
Example: 1413120
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, PeakWorkingSetSize
Priority
Scheduling priority of a process within an operating system. The higher the value, the higher priority a process receives. Priority values can range from 0 (zero), which is the lowest priority to 31, which is highest priority.
Example: 7
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, Priority
PrivatePageCount
Current number of pages allocated that are only accessible to the process represented by this Win32_Process instance.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, PrivatePageCount
ProcessId
Numeric identifier used to distinguish one process from another. ProcessIDs are valid from process creation time to process termination. Upon termination, that same numeric identifier can be applied to a new process.
This means that you cannot use ProcessID alone to monitor a particular process. For example, an application could have a ProcessID of 7, and then fail. When a new process is started, the new process could be assigned ProcessID 7. A script that checked only for a specified ProcessID could thus be “fooled” into thinking that the original application was still running.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, ProcessId
QuotaNonPagedPoolUsage
Quota amount of nonpaged pool usage for a process.
Example: 15
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, QuotaNonPagedPoolUsage
QuotaPagedPoolUsage
Quota amount of paged pool usage for a process.
Example: 22
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, QuotaPagedPoolUsage
QuotaPeakNonPagedPoolUsage
Peak quota amount of nonpaged pool usage for a process.
Example: 31
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, QuotaPeakNonPagedPoolUsage
QuotaPeakPagedPoolUsage
Peak quota amount of paged pool usage for a process.
Example: 31
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, QuotaPeakPagedPoolUsage
ReadOperationCount
Number of read operations performed.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, ReadOperationCount
ReadTransferCount
Amount of data read.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, ReadTransferCount
SessionId
Unique identifier that an operating system generates when a session is created. A session spans a period of time from logon until logoff from a specific system.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, SessionId
Status
Current status of an object. Various operational and nonoperational statuses can be defined. Available values:
$values = 'Degraded','Error','Lost Comm','No Contact','NonRecover','OK','Pred Fail','Service','Starting','Stopping','Stressed','Unknown'
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, Status
TerminationDate
Process was stopped or terminated. To get the termination time, a handle to the process must be held open. Otherwise, this property returns NULL.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, TerminationDate
ThreadCount
Number of active threads in a process. An instruction is the basic unit of execution in a processor, and a thread is the object that executes an instruction. Each running process has at least one thread.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, ThreadCount
UserModeTime
Time in user mode, in 100 nanosecond units. If this information is not available, use a value of 0 (zero).
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, UserModeTime
VirtualSize
Current size of the virtual address space that a process is using, not the physical or virtual memory actually used by the process. Using virtual address space does not necessarily imply corresponding use of either disk or main memory pages. Virtual space is finite, and by using too much, the process might not be able to load libraries. This value is consistent with what you see in Perfmon.exe.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, VirtualSize
WindowsVersion
Version of Windows in which the process is running.
Example: 4.0
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, WindowsVersion
WorkingSetSize
Amount of memory in bytes that a process needs to execute efficientlyâfor an operating system that uses page-based memory management. If the system does not have enough memory (less than the working set size), thrashing occurs. If the size of the working set is not known, use NULL or 0 (zero). If working set data is provided, you can monitor the information to understand the changing memory requirements of a process.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, WorkingSetSize
WriteOperationCount
Number of write operations performed.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, WriteOperationCount
WriteTransferCount
Amount of data written.
For more information about using uint64 values in scripts, see Scripting in WMI.
Get-CimInstance -ClassName Win32_Process | Select-Object -Property Handle, WriteTransferCount
Examples
List all instances of Win32_Process
Get-CimInstance -ClassName Win32_Process
Learn more about Get-CimInstance and the deprecated Get-WmiObject.
View all properties
Get-CimInstance -ClassName Win32_Process -Property *
View key properties only
Get-CimInstance -ClassName Win32_Process -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties = 'Caption',
'CommandLine',
'CreationClassName',
'CreationDate',
'CSCreationClassName',
'CSName',
'Description',
'ExecutablePath',
'ExecutionState',
'Handle',
'HandleCount',
'InstallDate',
'KernelModeTime',
'MaximumWorkingSetSize',
'MinimumWorkingSetSize',
'Name',
'OSCreationClassName',
'OSName',
'OtherOperationCount',
'OtherTransferCount',
'PageFaults',
'PageFileUsage',
'ParentProcessId',
'PeakPageFileUsage',
'PeakVirtualSize',
'PeakWorkingSetSize',
'Priority',
'PrivatePageCount',
'ProcessId',
'QuotaNonPagedPoolUsage',
'QuotaPagedPoolUsage',
'QuotaPeakNonPagedPoolUsage',
'QuotaPeakPagedPoolUsage',
'ReadOperationCount',
'ReadTransferCount',
'SessionId',
'Status',
'TerminationDate',
'ThreadCount',
'UserModeTime',
'VirtualSize',
'WindowsVersion',
'WorkingSetSize',
'WriteOperationCount',
'WriteTransferCount'
Get-CimInstance -ClassName Win32_Process | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class Win32_Process -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_Process -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT TerminationDate, PeakPageFileUsage, QuotaNonPagedPoolUsage, Handle FROM Win32_Process WHERE Caption LIKE 'a%'"
Any property you did not specify is still present but empty. You might need to use
Select-Objectto remove all unwanted properties:Get-CimInstance -Query "SELECT TerminationDate, PeakPageFileUsage, QuotaNonPagedPoolUsage, Handle FROM Win32_Process WHERE Caption LIKE 'a%'" | Select-Object -Property TerminationDate, PeakPageFileUsage, QuotaNonPagedPoolUsage, Handle
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_Process -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance Win32_Process -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use Win32_Process, the following requirements apply:
PowerShell
Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
Win32_Process was introduced on clients with Windows Vista and on servers with Windows Server 2008.
Namespace
Win32_Process lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.
Implementation
Win32_Process is implemented in CIMWin32.dll and defined in CIMWin32.mof. Both files are located in the folder C:\Windows\system32\wbem:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\CIMWin32.mof