'==========================================================================
'
'
' NAME: <ListServicesInProcesses.vbs>
'
' AUTHOR: Ed Wilson , MS
' DATE  : 7/29/2006
'
' COMMENT: <Uses two WMI Queries to identify services that resice in Processes>
'1.You have all seen svchost.exe in taskManager. Ever wonder WHY it was using so much
'2.Memory, or paging so much? This script reveals that. It first makes a wmi query
'3.to obtain a list of processes that do not have the PID of 0 (the system idle process).
'4.It then prints out this list ... however it retains the PID in the intPID variable.
'5.The script goes into a subroutine to query for services that have the same PID as the
'6.Processes ... these also get printed out. 
'==========================================================================

Option Explicit 
'On Error Resume Next
dim strComputer			'target computer
dim wmiNS						'target wmi name space
dim wmiQuery				'the WMI query
dim objWMIService		'sWbemservices object
dim colItems				'sWbemObjectSet object
Dim objItem					'sWbemObject
Dim intPID					'process ID from win32_Process

strComputer = "."
wmiNS = "\root\cimv2"
wmiQuery = "Select processID, name from win32_Process where processID <> 0"

Set objWMIService = GetObject("winmgmts:\\" & strComputer & wmiNS)
Set colItems = objWMIService.ExecQuery(wmiQuery)
For Each objItem In colItems
    WScript.Echo "Process Name: " & objItem.Name & " ProcessID: " & objItem.ProcessID
    intPID = objItem.ProcessID
subGetServices	'calls subGetServices to find services in the PID
Next

' *** sub below ***
Sub subGetServices
Dim wmiQuery1
Dim colItems1
Dim objItem1

wmiQuery1 = "Select name from win32_Service where processID = " & intPID

Set colItems1 = objWMIService.ExecQuery(WmiQuery1)
For Each objItem1 In colItems1
    WScript.Echo vbTab, "Service Name: ", objItem1.Name
Next
End Sub