I'm trying to use unpack (or let me know if there's a better tool) to get at just a few columns of data from the output of Windows' wmic command:
Here's the header line only:
C:\CHAS_S~1\COLUMN~1> wmic process|find /i "Caption" Caption CommandLine CreationClassName CreationDate CSCreationClassName CSName Description ExecutablePath ExecutionState Handle HandleCount InstallDate KernelModeTime MaximumWorkingSetSize MinimumWorkingSetSize Name OSCreationClassName OSName OtherOperationCount OtherTransferCount PageFaults PageFileUsage ParentProcessId PeakPageFileUsage PeakVirtualSize PeakWorkingSetSize Priority PrivatePageCount ProcessId QuotaNonPagedPoolUsage QuotaPagedPoolUsage QuotaPeakNonPagedPoolUsage QuotaPeakPagedPoolUsage ReadOperationCount ReadTransferCount SessionId Status TerminationDate ThreadCount UserModeTime VirtualSize WindowsVersion WorkingSetSize WriteOperationCount WriteTransferCount
It seemed to be fixed width data instead of delimited data, but I looked in a hex editor to see if those weren't tab delimeters. It turns out worse than that: everything is unicode:
C:\CHAS_S~1\COLUMN~1> perl -ne "print" header.bin ■C a p t i o n C o m m a n d L i n +e C r e a t i o n C l a s s N a m e C r e a +t i o n D a t e C S C r e a t i o n C l a s s N a +m e C S N a m e D e s c r i p t i o n + E x e c u t a b l e P a t h E x e c u t i o n S t a t e +H a n d l e H a n d l e C o u n t I n s t a l l D a t e K e r n e l +M o d e T i m e M a x i m u m W o r k i n g S e t S i z e M i n i m u +m W o r k i n g S e t S i z e N a m e O S +C r e a t i o n C l a s s N a m e O S N a m e O t h e r O p e r a t i o n C o u n t O t h +e r T r a n s f e r C o u n t P a g e F a u l t s P a g e F i l e U s a +g e P a r e n t P r o c e s s I d P e a k P a g e F i l e U s a g e +P e a k V i r t u a l S i z e P e a k W o r k i n g S e t S i z e P r i +o r i t y P r i v a t e P a g e C o u n t P r o c e s s I d Q u o t +a N o n P a g e d P o o l U s a g e Q u o t a P a g e d P o o l U s a g e + Q u o t a P e a k N o n P a g e d P o o l U s a g e Q u o t a P e a k P a +g e d P o o l U s a g e R e a d O p e r a t i o n C o u n t R e a d T r +a n s f e r C o u n t S e s s i o n I d S t a t u s T e r m i n a t +i o n D a t e T h r e a d C o u n t U s e r M o d e T i m e V i r t +u a l S i z e W i n d o w s V e r s i o n W o r k i n g S e t S i z e + W r i t e O p e r a t i o n C o u n t W r i t e T r a n s f e r C o u n t C:\CHAS_S~1\COLUMN~1>
So I tried to teach myself pack and unpack real quick. This reminds me of the first time I ran into Regular Expressions; the learning curve seems rather steep.
I couldn't get the W pattern to work, it turns out because I'm on 5.8.8 instead of 5.10 (and so is the prod server it will run on).
Now I'm at:
C:\CHAS_S~1\COLUMN~1> perl -ne "($caption,$commandline)=unpack('@2U[42] U[270]',$_);print $c +aption;" h eader.bin 67
C:\CHAS_S~1\COLUMN~1> perl -ne "($caption,$commandline)=unpack('@2A[42] A[270]',$_);print $c +aption;" h eader.bin C a p t i o n C:\CHAS_S~1\COLUMN~1> perl -ne "($caption,$commandline)=unpack('@2a[42] a[270]',$_);print $c +aption;" h eader.bin C a p t i o n
Either how do I get U to give me something readable instead of a code, or how do I get print to turn 'C a p t i o n' into 'Caption'?
In reply to unpacking wmic command's unicode output by goibhniu
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |