- PsList lists processes in Windows with details of CPU, memory, threads and hierarchy, locally or remotely.
- Key parameters: -t (tree), -m (memory), -x (full view), -s/-r (sampling), filters by name/PID.
- Integrates with PsKill and PsExec to take action: locate, terminate, and restart processes remotely.
If you manage Windows systems and want a quick and reliable view of what's happening with your processes, PsList is one of those utilities that can get you out of trouble.. It is part of the PsTools package from Sysinternals and, with a handful of commands, allows detailed inspection of CPU, memory, threads and process hierarchies, both locally and remotely.
In addition to listing processes, PsList shines when you want to see the process tree, refresh data at intervals as if it were a mini Task Manager in console, or filter by name or PID. And when you combine it with PsKill and PsExec, you can now go from observing to acting: locate a problematic process, safely terminate it, and restart it in seconds, even on authorized remote computers.
What is PsList and what can it show?
PsList is a command-line utility from Sysinternals designed to list processes and their key telemetry. With a simple command you get columns like priority, number of threads and identifiers, virtual memory and working set, plus accumulated CPU and execution times for each process.
The tool can work against the local system or against a accessible remote equipment. In the latter case, explicit credentials are allowed if your current permissions are not sufficient to read performance counters on the other system. Thus, with PsList you can cover both interactive diagnosis as automation via scripts.
pslist
pslist exp
pslist -t
pslist \\EQUIPO-REMOTO -u DOMINIO\Usuario -p Contraseña
PsList also has specific views: you can ask thread details by process, focus on consumption of the memory or activate a combined view with everything at once. When you need a complete photo, the right switch saves you steps and clears the picture.
Installation, supported versions and how it works inside
PsList is part of PsTools, a set of console utilities from Sysinternals. It doesn't require any complex installation: just copy the executable to a folder in your PATH or call it by its path. The package is lightweight and ideal for administrators who prefer tools portable.
Compatibility: In modern environments, PsList runs on Windows 8.1 and later on client, And in Windows Server 2012 and later on the server. These versions guarantee the support and APIs necessary to collect the information the tool exposes.
Where does it get its data from? PsList uses the performance counters Windows (the same ones that power PerfMon). Thanks to this, the information is consistent with what you would see in the Performance monitor of the system itself. This integration also explains why, in remote scenarios, you may need to authenticate with a has privileges adequate.
A practical note: all memory values displayed by PsList appear in kilobyte (KB)If you're comparing with other tools that report in MB, keep this in mind so you don't confuse the magnitudes.
Syntax and essential parameters
The basic syntax is flexible and covers both simple and advanced cases. These are the key parameters that should be mastered to take advantage of it:
| Parameter | That makes |
|---|---|
pslist exp |
Filter and displays processes whose name begins with "exp" (for example, Explorer). |
-d |
Sample thread details of process. |
-m |
Focus the output on memory statistics. |
-x |
Combined view with processes, memory and threads. |
-t |
Show the process tree (hierarchy). |
-s [n] |
Run in type mode Task Manager for n seconds (Escape to cancel). |
-r n |
set the Update frequency in seconds in the previous mode (default 1). |
\\equipo |
Instead of the local system, it gets the information from the remote team indicated (NT/Win2K+; today's modern Windows). |
-u |
Allows you to specify a user to log in to the remote. |
-p |
Indicates the password on the command line. If you omit -p After entering your account, PsList will ask you for it interactively. |
nombre |
Filters and displays processes that begin with that name. |
-e |
Force it exact match from the process name. |
pid |
Restricts output to the process with that PID concrete (e.g., pslist 53). |
With this base, you can cover everything from quick filters by name to PID-specific auditsAnd if what you want is an enriched global vision, activate -x and you will have data on processes, memory and threads in one pass.
pslist -x
pslist -m chrome
pslist -t -e explorer.exe
pslist 1234
For remote scenarios, remember that domain paths and users are written using typical Windows syntax: \\COMPUTER or DOMAIN\User. Adjust according to your organization's topology.
Reading the output: abbreviations and fields
PsList output uses standard abbreviations to condense information. These are the keys you should know to interpret columns and metrics:
| Actions column | Meaning |
|---|---|
| Pri | Priority of the process in the planner. |
| Thd | Number of Wireless in the process. |
| Handle | Count of handles open. |
| VM | Virtual memory assigned. |
| WS | Working set (Working Set) in physical memory. |
| priv | Private virtual memory of process. |
| Priv Pk | Pico of private virtual memory reached. |
| Faults | Number of page faults (page faults). |
| NonP | Size non-paged pool associated. |
| Page | Size paginated pool. |
| Cswtch | Context changes that has experienced. |
You will also see data from CPU Time y Elapsed Time, useful for knowing how much CPU time the process has consumed and how long it has been running. These fields are vital for hunting down processes that they are left hanging or that consume more resources than necessary.
Task Manager type mode and continuous refresh
If you want to monitor one or more processes over a period of time without having to press anything, use sampling mode from PsList with -s. This mode refreshes the output and remains active There that you specify (or until you press Escape). With -r you define every how many seconds it is updated.
pslist -s 15 -r 2
The above example runs PsList for 15 seconds with a two-second refreshIt's very handy for capturing short-lived CPU or memory spikes that you might not catch in a single run.
Working with remote teams: credentials and security
One of PsList's strengths is its ability to query processes on remote machines with which you have connectivity and permissions. The syntax is straightforward: you prefix the computer name or IP with \\ and, if necessary, credentials are indicated.
pslist \\MAQUINA -u DOMINIO\Administrador -p
If you specify user but you omit the option -p, PsList will ask you for the password interactively. This is convenient when typing by hand, and prevents the password from being stored in the console history. To run in scripts, it is advisable to pass it as a parameter or use a safe mechanism credential injection.
Keep in mind that on some networks you need permission to read performance counters of the remote team. If your account doesn't have them, the combination of -u y -p with a privileged user solves the problem and allows PsList access data.
Practical examples
To find all processes whose name begins with a specific string, filter by prefix and fine-tune what interests you watch:
pslist svchost
If you are interested in a specific process with a known PID, limits the output to that identifier:
pslist 888
For a complete snapshot (processes + memory + threads) in a single command, activate the combined view:
pslist -x
And when you want to understand the relationship between parent and child processes, nothing beats the tree to unravel the hierarchy and locate who launched whom:
pslist -t
Combine PsList with other PsTools to act (PsKill and PsExec)
Once you have located the misbehaving process, you can move from observing to take action with PsKillThe typical flow is: list the tree on the remote machine, note the name or PID, and terminate it in a controlled manner.
pslist -t \\[EquipoRemoto o IP]
pskill -t \\[EquipoRemoto o IP] -u [EQUIPO\UsuarioAdmin] -p [Password] [NombreProceso o PID]
the modifier -t in PsKill ensures that the final version is completed process and its offspring (useful when there are threads that are hanging). If you need it, with PsExec you can relaunch the binary to simulate a “reboot” of the affected service or application.
psexec \\[EquipoRemoto o IP] -u [EQUIPO\UsuarioAdmin] -p [Password] "C:\\Ruta\\Programa\\app.exe"
With this combination, in business environments it is easy to test, recover services without remote desktop, or automate maintenance tasks based on policies and service windows.
PsList in memory analysis (Volatility): a piece of the forensic puzzle
In the field of incident response, the concept of "pslist" also appears in Volatility, the analytics platform of memory dumps. Here, the idea is different: you are not inspecting a live Windows, but a RAM capture to reconstruct what was happening.
In Volatility 2, the process list is obtained with vol.py ... pslist, the search for hidden processes with psscan and the hierarchy with pstree. Furthermore, there is psxview to contrast views and detect obscurations. In Volatility 3, the commands change to the notation with Windows prefix (for example, windows.pslist, windows.psscan, windows.pstree) and there is no direct equivalent to psxview.
# Volatility 2
vol.py -f "memdump.raw" --profile <perfil> pslist
vol.py -f "memdump.raw" --profile <perfil> psscan
vol.py -f "memdump.raw" --profile <perfil> pstree
# Volatility 3
vol.py -f "memdump.raw" windows.pslist
vol.py -f "memdump.raw" windows.psscan
vol.py -f "memdump.raw" windows.pstree
Network modules, services, kernel modules, and more also have their variants. In V2, you can use netscan, modules, svcscan, filescan, handles, dlllist, cmdline, hivescan y hivelist. In V3, their counterparts take the form windows.netscan, windows.modules, windows.svcscan, windows.filescan, windows.handles, windows.dlllist, windows.cmdline, windows.printkey, etc.
# Ejemplos de Volatility 3
vol.py -f "memdump.raw" windows.netscan
vol.py -f "memdump.raw" windows.modules
vol.py -f "memdump.raw" windows.svcscan
vol.py -f "memdump.raw" windows.filescan
vol.py -f "memdump.raw" windows.handles --pid <PID>
vol.py -f "memdump.raw" windows.dlllist --pid <PID>
vol.py -f "memdump.raw" windows.cmdline
For extraction, in V2 you use memdump o dumpfiles output directories, and in V3 the plugin windows.dumpfiles allows dumping by PID, virtual or physical address. These flows integrate process analysis with network artifacts, logging, and modules, forming a complete forensic view.
In short, although "pslist" in Volatility is not the same utility as Sysinternals' PsList, they share the goal of reconstruct the process activityIf you work in DFIR, it is useful to master both worlds: live analysis with PsTools and analysis offline with Volatility 2/3 and their new plugin names.
Related tools to complete the vision
In addition to PsList, there are utilities in Windows ecosystems that add perspective. Have them on hand It gives you agility in different phases of the diagnosis.
- tlist.exe: from MS Debugging Tools. Displays process tree (
-t) and accepts filters by PID or expressions for the name. - pulist.exe: from the Windows 2000 kit. Very simple; lists name, PID, and user account, and you can query remote teams.
- cmdline: reveals arguments and flags with which a process was launched, in addition to an image route.
- handle: lists open handles by processes, with options to close a specific one.
- listdlls: list DLLs loaded by processes, with path and versioning.
- pmdump: dumps the memory of a process by PID, useful for advanced analysis.
- Process Explorer: a very powerful graphical interface that brings together most of these functions, ideal when you don't need scripting.
Good practices and operational notes
For remote environments, ensure that the firewalls and policies allow access to the performance counters and the necessary service. You will avoid access denied errors that are not due to PsList but to setting of the network.
When automating with scripts, consider how protect credentials. Passing clear passwords on the command line may expose them in the history; options like the interactive prompt or chests of secrets are preferable in production.
The output of PsList, being plain text, integrates well with pipes and redirects. You can send it to a file, filter it with findstr or convert it to CSV with a small postprocessing.
pslist -x > informe_pslist.txt
pslist -m | findstr /i "chrome firefox"
And when you work with heavily loaded teams, avoid overly aggressive refresh intervals with -rResponsible sampling minimizes the impact of observation on sensitive systems.
Where to get PsList and community
PsList comes in the PsTools package from Sysinternals, accessible from Microsoft's official sites. It is a suite that is updated regularly and adds tools such as PsExec, PsKill, PsService, PsLoggedOn and many others designed for local and remote administration.
If you are looking to resolve specific doubts or share experiences, the Sysinternals community and Windows-themed forums offer practical answers. Reviewing the official performance counter documentation also helps you understand how they are calculated certain metrics and why they may differ from what you see in other utilities.
With PsList, you have a quick way to understand in detail what processes are running, how they consume resources, and how they relate to each other, both locally and remotely. If you add PsKill and PsExec to that, you complete the cycle: identify, intervene, and restart a service, while maintaining control and without relying on graphical sessions or complex interactive access.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.