When building a WQL query, string values must be quoted; numeric and Boolean values do not need quotes.
As the filter is also a string, this often means nesting quotes within one another. The following techniques may be used to avoid needing to use PowerShell's escape character.
For filters or queries containing fixed string values, use either of the following styles. Use single quotes outside and double quotes inside:
Get-CimInstance Win32_Process -Filter 'Name="powershell.exe"'
Alternatively, use double quotes outside and single quotes inside:
Get-CimInstance Win32_Process -Filter "Name='powershell.exe'"
For filters or queries containing PowerShell variables or subexpressions, use double quotes outside as variables within a single-quoted string that will not expand:
Get-CimInstance Win32_Process -Filter "ProcessId=$PID" Get-CimInstance Win32_Process -Filter "ExecutablePath LIKE '$($pshome -replace '', '')%'"
Regex recap:
The regular expression '' represents a single literal '', as the backslash is normally the escape character. Each '' in the pshome path is replaced with '' to account for WQL using '' as an escape character as well.
The regular expression '' represents a single literal '', as the backslash is normally the escape character. Each '' in the pshome path is replaced with '' to account for WQL using '' as an escape character as well.
Finally, if a filter contains several conditions, consider using the format operator:
$filter = 'ExecutablePath LIKE "{0}%" AND WorkingSetSize<{1}' -f
($env:WinDir -replace '', ''),
100MB
Get-CimInstance Win32_Process -Filter $filter