-
-
Notifications
You must be signed in to change notification settings - Fork 393
FS_SysInfo_Process
The directory sys/proc exists as a sub-directory to the file system root.
The directory contains process related information in a convenient tree format.
The files in the sys/proc directory are listed in the table below:
File | Description |
---|---|
proc.txt | Process tree - list processes and their parent processes in a tree view. |
proc-v.txt | Process tree verbose - also list process image path and command line. |
proc-time.txt | Process list - sorted by creation time. |
Files in the sys/proc directory are read-only.
The file proc.txt contains a per-pid tree view of the known processes in the system. The view includes all processes including terminated ones.
32
Process is 32-bit on 64-bit Windows.
E
Process is NOT found in EPROCESS list (memory corruption, drift or unlink)
T
Process is terminated
U
Process is user-account (non-system user)
*
Process is outside standard paths.
Process Pid Parent Flag User Create Time Exit Time
--------------------------------------------------------------------------------------------------------
- System 4 0 SYSTEM 2020-08-01 19:20:20 UTC ***
-- Registry 88 4 SYSTEM 2020-08-01 19:20:10 UTC ***
-- smss.exe 304 4 SYSTEM 2020-08-01 19:20:20 UTC ***
-- MemCompression 1592 4 SYSTEM 2020-08-01 19:20:31 UTC ***
- csrss.exe 396 388 SYSTEM 2020-08-01 19:20:24 UTC ***
- wininit.exe 468 388 SYSTEM 2020-08-01 19:20:25 UTC ***
-- services.exe 604 468 SYSTEM 2020-08-01 19:20:26 UTC ***
...
-- userinit.exe 3996 564 TU JohnSmith 2020-08-01 19:36:12 UTC 2020-08-01 19:40:09 UTC
--- explorer.exe 4028 3996 U JohnSmith 2020-08-01 19:20:58 UTC ***
---- mspaint.exe 1832 4028 E U JohnSmith 2020-08-01 19:21:56 UTC ***
---- OneDrive.exe 8904 5896 32 U JohnSmith 2020-08-01 19:21:56 UTC ***
...
The example shows the sys/proc directory and the ordinary non-verbose process tree.
The sys/proc sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_sys_proc.c in the vmm project.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖