Windows Process Information

Process information

(pslist requires sysinternals pslist.exe):
1
tasklist -v
2
wmic process list full /format:csv
3
wmic process get name,parentprocessid,processid /format:csv
4
wmic process get ExecutablePath,processid /format:csv
5
wmic process get name,ExecutablePath,processid,parentprocessid /format:csv | findstr /I "appdata"
6
wmic process where processid=[PID] get parentprocessid
7
wmic process where processid=[PID] get commandline
8
wmic process where "commandline is not null and commandline!=''" get name,commandline /format:csv
9
gwmi win32_process -Filter "name like 'powershell.exe'" | select name,processId,commandline|FL
10
gwmi win32_process | select name,processId,path,commandline|FL
11
gwmi win32_process |FL ProcessID,ParentProcessID,CommandLine,@{e={$_.GetOwner().User}}
12
gwmi win32_process | Sort-Object -Property ProcessID | FL ProcessID,Path,CommandLine,ParentProcessID,@{n="User";e={$_.GetOwner().User}},@{n="ParentProcessPath";e={gps -Id $_.ParentProcessID|Select -exp Path}}
13
pslist
Copied!
1
import-module .\Get-ProcessTree.ps1
2
Get-ProcessTree -Verbose | FT Id, Level, IndentedName, ParentId,Path,CommandLine
Copied!

Checking for running processes

1
Invoke-Command -ScriptBlock {Get-Process} -Session $s1
Copied!

Baseline processes and services

(Used to compare new process/services)
1
Get-Process | Export-Clixml -Path C:\Users\User\Desktop\process.xml
2
Get-Service | Export-Clixml -Path C:\Users\User\Desktop\service.xml
3
$edproc = Import-Clixml -Path C:\Users\User\Desktop\process.xml
4
$edproc1 = Import-Clixml -Path C:\Users\User\Desktop\process1.xml
5
$edservice = Import-Clixml -Path C:\Users\User\Desktop\service.xml
6
$edservice1 = Import-Clixml -Path C:\Users\User\Desktop\service1.xml
7
Compare-Object $edproc $edproc1 -Property processname
8
Compare-Object $edservice $edservice1 -Property servicename
Copied!

Current Process execution or module loads from temporary directories

Note: This will likely have some false positives as it’s just a wildcard. So in this case using ‘temp’ can come up in words such as ‘ItemProvider’.
1
(gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|unique
Copied!

Current Process execution or module loads from temporary directories + hash

1
$A=((gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
2
$A=((gps).Path|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
Copied!

Process Handles

Locate process handles (e.g. files open by process)

Note: Requires handles/handles64.exe from sysinternals
1
handle64.exe -p [PID/name] -nobanner
2
handle64.exe -a -p [PID/name] -nobanner
3
handle64.exe -a -l -p [PID/name] -nobanner
4
handle64.exe -a -l -u -p keepass -nobanner
Copied!

Close process handles (e.g. files open by process)

Note: Requires handles/handles64.exe from sysinternals
1
handle64.exe -c [hexhandleref] -p [PID] -nobanner
2
handle64.exe -c [hexhandleref] -y -p [PID] -nobanner
Copied!

Hashes of Processes and Artifacts

Obtain hash for all running executables

Issues with spaces in names but supports CMD.exe
1
FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt
Copied!
Powershell (Special thanks Lee Holmes)
1
(gps|gi -ea SilentlyContinue|filehash).hash|sort -u
Copied!
My less efficient powershell
1
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | Format-List}
2
3
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}
4
5
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A
Copied!

Obtain hash of DLLs currently loaded by processes

1
$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A
2
(gps).Modules.FileName | sort -uniq | foreach {filehash $_ -ea 0}
Copied!

Obtain processes where binaries file version doesn’t match OS Release

1
gps -FileVersionInfo -ea 0|? {$_.ProductVersion -notmatch $([System.Environment]::OSVersion.Version|Select -exp Build)}
Copied!

Obtain process binary file external names

1
gps -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
2
gps -module -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
3
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name,*version
Copied!

Obtain processes running which are running a DLL

1
$A=(gps|select -ExpandProperty modules -ea SilentlyContinue | where {$_.ModuleName -Like 'sechost.dll' -or $_.ModuleName -Like 'ntdll.dll'} | sort -u);if($A[0].Size -ge -1) {foreach ($Module in $A){tasklist /m $Module.ModuleName}};
2
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
Copied!

Obtain hash of unsigned or invalid DLLs currently loaded by processes

1
$A=$(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue){Get-AuthenticodeSignature $dll.FileName |Where-Object Status -NE "Valid"|Select Path});$B=$(foreach ($dll in $A){Get-FileHash $dll.Path| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$B
Copied!

Obtain list of unsigned DLLs currently loaded by processes

1
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature|Where-Object Status -NE "Valid"
2
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature | ? Status -NE "Valid" | FL Path
Copied!

Process Scanning

Scan process creation logs for ‘appdata’

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4688';}| ? {$_.Message -match 'appdata'}|FL TimeCreated, Message
Copied!