The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Process by user

Description: This query gives you the started processed also with username

Tested on Windows 7 Windows 10, Mac OS X 10.14.6, CentOS 7.8, Ubuntu 19.04.

SQL:

SELECT p.name, u.username, p.path, p.cmdline, p.pid FROM processes p JOIN users u on u.uid=p.uid;

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved

@gstrandberg this query is similar to this one so I just wanted to leave a link here:

https://community.carbonblack.com/t5/Query-Exchange/What-users-are-logged-into-a-specific-Host/idi-p...