Finding command line argument that contains

mlynch · April 1, 2016, 3:44pm

I’m trying to find java processes with command line arguments that contain a certain string. I have the relevance to get the results I want, but an unsure on how to return true if the command line arguments contain a string. For example:

Q: command line arguments of process "java"
A: -Declipse.security
A: -Dwas.status.socket=55601
A: -Dosgi.install.area=/web/was7nd/IBM/WebSphere/AppServer
A: -Dosgi.configuration.area=/web/was7nd/IBM/WebSphere/AppServer/profiles/Admin/configuration
A: -Djava.awt.headless=true
...
A: dmgr
E: Singular expression refers to non-unique object.
T: 4156

What would the relevance be to return true if any of the command line arguments contain “WebSphere”? I tried the following but came up short:

Q: exists command line arguments of process "java" whose it as lowercase contains "websphere"
E: A boolean expression is required.

Q: (exists command line arguments of process "java" whose it as lowercase contains "websphere") else (false)
E: This expression could not be parsed.

Any ideas?

Aram · April 1, 2016, 5:07pm

I haven’t tested this, but can you try:

exists command line arguments whose (it as lowercase contains “websphere”) of process “java”

(the whose should come right after the property/object you are attempting to filter)

mlynch · April 1, 2016, 5:20pm

Ah, yes! That did it (using ‘of processes "java"’ since there are multiple java processes). I’m pretty sure you’ve told me that before and it’s the one thing that keeps biting me.

Thanks for the help @Aram

jgstew · August 23, 2016, 2:20am

Always use plural relevance, never singular relevance.

This should be the working relevance, since it was never added completely:

command line arguments whose (it as lowercase contains "websphere") of processes "java"

JonL · July 21, 2020, 9:38pm

I was intrigued by this relevance to inspect arguments, so I tried it on a lab machine.

Using Debuggers 9.5.14 and 9.5.16, I get the following:

q: exists processes "cmd.exe"
A: True
T: 0.018 ms

Q: command line arguments of processes "cmd.exe"
E: The operator “command line arguments” is not defined.

q: exists processes "java.exe"
A: True
T: 0.060 ms

Q: command line arguments of processes "java.exe"
E: The operator “command line arguments” is not defined.

What am I missing?

itsmpro92 · July 21, 2020, 11:15pm

command line arguments is not defined on Windows.

Version	Platforms
8.0.584.0	AIX, Red Hat, SUSE, Solaris
8.1.535.0	Debian, Ubuntu
9.5.13.130	Raspbian

JonL · July 22, 2020, 1:21pm

Makes sense, but is unfortunate. I’d love to do argument inspection on Windows. Have a ton of use cases.

itsmpro92 · July 22, 2020, 3:36pm

I completely agree. The command line is visible in the Windows Task Manager, so it should be available through an API somewhere. Perhaps an enhancement request is in order.

Aram · July 28, 2020, 2:12pm

Agreed that this would be a good Idea to submit to the portal as an inspector enhancement!

In the meantime, it can technically be achieved via WMI inspectors with something like:

(string value of property "name" of it, string value of property "commandline" of it) of select objects "* from Win32_Process" whose (exists string value of property "commandline" of it AND string value of property "commandline" of it as lowercase contains "eventlog") of wmi

cstoneba · December 13, 2021, 4:49pm

https://bigfix-ideas.hcltechsw.com/ideas/BFP-I-256