Windows process identification

The PEB, which lives in the user process address space, contains information needed by the image loader, the heap manager, and other Windows system DLLs that need to access it from user mode. The basic structure of the PEB is illustrated in Figure and is explained in more detail later in this chapter. You can dump the PEB structure with the!

To get the address of the PEB, use the! A few key kernel global variables that relate to processes are listed in Table These variables are referred to later in the chapter, when the steps in creating a process are described. Pointer to the process block of the initial system process that contains the system threads.

Array of callback objects describing the routines to be called on process creation and deletion maximum of eight.

Count of registered extended process notification routines. Array of callback objects describing the routines to be called on image load maximum of eight. Mask for quickly checking whether any extended or standard notification routines are enabled. Windows maintains a number of counters with which you can track the processes running on your system; you can retrieve these counters programmatically or view them with the Performance tool.

Table lists the performance counters relevant to processes. Describes the percentage of time that the threads in the process have run in kernel mode during a specified interval. Describes the percentage of CPU time that the threads in the process have used during a specified interval. Describes the percentage of time that the threads in the process have run in user mode during a specified interval.

Describes the total elapsed time in seconds since this process was created. Returns the process ID. This ID applies only while the process exists because process IDs are reused. Returns the process ID of the creating process. For reference purposes, some of the Windows functions that apply to processes are described in Table Creates a new process and thread with the specified alternate security token.

Creates a new process and thread to run under the credentials of the specified username and password. A process can use the GetCurrentProcess function to retrieve a pseudo handle to its own process object. This pseudo handle is valid only for the calling process; it cannot be inherited or duplicated for use by other processes.

To get the real handle to the process, call the DuplicateHandle function. Skip to main content. This browser is no longer supported. EXE, etc. EXE Parent to services such at svchost. EXE Only one lsass. Often targeted by malware as a means to dump passwords. Also mimicked by malware to hide on a system lass. When they are mimicked they will not be running as children to services. Command Line: svchost. They should all be running within session 0 LSM.

Sends the requests to smss. Child to wininit. Malware will sometimes add additional values to this key, which will load malware upon successful logons. Userinit initializes the user environment. Connect and share knowledge within a single location that is structured and easy to search. I have a list of processes and I want to identify which of them are legitimate and which are not. I only have the name of the processes and I want to categorize them. Is there any way to get information of those processes programmatically?

If I can at least identify which of them are common processes, that can help me to make a shorter list. I can then search other unknown processes and get their information. I want to find the complete information of the processes so that I can find out the legitimate processes. There are current processes in the list and it may increase it in future. I can do it manually for now, but I want to run script to do the check automatically.

Also, the list will depend on the software you have installed on your machine. In Windows, you can try tasklist In Linux, you can try ps. You can make a list of trusted applications which you can do manually or lookup online. Then, after getting the list of running processes programmatically, you can compare the list with your trusted list of processes and display only the remaining processes.

If you feel that some these processes are harmless and legitimate, you can add these processes to your list of trusted applications, so that they won't show up again next time you run your program.

ProcessExplorer by SysInternals can help with this if you have access to the machine. It also color codes data which I find very helpful. There are many heuristics by which you can find what all processes are malicious or not. I'll explain this with some examples:. Malware tends to use common exe names to hide from detection tools. In cases like that, you can check the file location of processes being executed. For example: processes with name svchost.