オンサイトセミナー
豊田孝の「IT談話館」 Windowsメモリダンプ解析を依頼する




「Windowsメモリダンプ解析サービス」のご案内



Windows XP/7/8/10のセッションとプロセス


 WindowsはSaaSとして提供される時代に入り、その内部は頻繁に更新されています。更新内容の多くは、いろいろな事情から、公にされることはほとんどありません。最新のユーザー空間とカーネル空間に関する信頼できる情報を取得するには、インターネットなどでは語られない高度な内部解析技術が必須とされています。

 使用中のWindowsシステムの健康度や障害を診断・解析する場合、プロセスの存在を無視することはできません。たとえば、あるプロセスがウィルスに感染しているような場合、そのプロセスが依存しているDLLリストなどの内部構成が変更され、通常とは大きく異なる動きになります(「Windows 10 Active Memory DumpとDLL解析(基礎)」参照)。また、プロセス間通信やカーネルオブジェクトの操作に何らかの問題が発生しているような場合には、パフォーマンスが著しく低下したり、時には、システムクラッシュが発生します。

 セキュリティー視点からWindowsアーキテクチャーを見た場合、本「IT談話館」の確認範囲では、次のような保護メカニズム階層が考案・実装されています。下記リンクはすべて本館記事を指しています。
  1. CPU
  2. Silo/Server Silo
  3. Session
  4. Protected Process
  5. Mandatory Integrity Control(MIC)
  6. Windows API(+CPU)
 本稿では、保護メカニズム階層内の比較的上位に位置する上記赤色のSessionを取り上げます。Windowsシステムにおけるプロセスは、ユーザープロセス、システムプロセス、サービスプロセスの3種類に大別されます。システムプロセスとサービスプロセスは、Windows Vista以降、「セッション切り離し」によりセッション0内で起動され、他のセッション内で動作するユーザープロセスからアクセスされなくなります。

 本稿では、このセッション切り離しに着目し、Windows XP/7/8/10それぞれの環境で採取されたカーネルメモリダンプを本「IT談話館」の独自コードで解析し、システムプロセス、サービスプロセス、および、ユーザープロセスの変遷を調査します。解析コードの開発知識の習得には「時間と予算の投資」が必要です。

 まずは、Vista以降のWindows環境におけるシステムプロセス、サービスプロセス、および、ユーザープロセスを次のように定義しておきます。  それでは、WindowsXP/7/8/10それぞれの環境で採取されたカーネルメモリダンプの解析結果をご覧いただきましょう。Windowsバージョンが上がるに従い、3種類のプロセス構成は激変していきます。Windows Vista以前に発売されていたWindows XPの解析結果からご覧いただきましょう。
kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Machine Name:
Kernel base = 0x804d9000 PsLoadedModuleList = 0x8055c620
Debug session time: Wed Jun  4 19:50:12.855 2008 (UTC + 9:00)
System Uptime: 0 days 0:09:06.425

	No.001: Parent: 0x00000	Child: 0x00004	System
	No.002: Parent: 0x00004	Child: 0x00198	smss.exe
	No.003: Parent: 0x00198	Child: 0x001c8	SessionId->0	System Process	csrss.exe
	No.004: Parent: 0x00198	Child: 0x001e0	SessionId->0	System Process	winlogon.exe
	No.005: Parent: 0x001e0	Child: 0x0020c	SessionId->0	System Process	services.exe
	No.006: Parent: 0x001e0	Child: 0x00218	SessionId->0	System Process	lsass.exe
	No.007: Parent: 0x0020c	Child: 0x002d4	SessionId->0	Service Process	svchost.exe
	No.008: Parent: 0x0020c	Child: 0x00314	SessionId->0	Service Process	svchost.exe
	No.009: Parent: 0x0020c	Child: 0x00358	SessionId->0	Service Process	svchost.exe
	No.010: Parent: 0x0020c	Child: 0x003a0	SessionId->0	Service Process	blinksvc.exe
	No.011: Parent: 0x0020c	Child: 0x003d8	SessionId->0	Service Process	svchost.exe
	No.012: Parent: 0x002d4	Child: 0x00400	SessionId->0	System Process	blinkrm.exe
	No.013: Parent: 0x0020c	Child: 0x00514	SessionId->0	Service Process	spoolsv.exe
	No.014: Parent: 0x0020c	Child: 0x00560	SessionId->0	Service Process	alg.exe
	No.015: Parent: 0x0020c	Child: 0x00598	SessionId->0	Service Process	mdm.exe
	No.016: Parent: 0x0020c	Child: 0x005c0	SessionId->0	Service Process	tcpsvcs.exe
	No.017: Parent: 0x0020c	Child: 0x005e0	SessionId->0	Service Process	snmp.exe
	No.018: Parent: 0x0020c	Child: 0x00658	SessionId->0	Service Process	wdfmgr.exe
	No.019: Parent: 0x0020c	Child: 0x006c8	SessionId->0	Service Process	EEYEEVNT.exe
	No.020: Parent: 0x00358	Child: 0x005a8	SessionId->0	System Process	wuauclt.exe
	No.021: Parent: 0x001bc	Child: 0x004bc	SessionId->0	System Process	explorer.exe
	No.022: Parent: 0x002d4	Child: 0x005d4	SessionId->0	System Process	wmiprvse.exe
	No.023: Parent: 0x004bc	Child: 0x0095c	SessionId->0	System Process	hkcmd.exe
	No.024: Parent: 0x004bc	Child: 0x00964	SessionId->0	System Process	jusched.exe
	No.025: Parent: 0x004bc	Child: 0x00970	SessionId->0	System Process	reader_sl.exe
	No.026: Parent: 0x004bc	Child: 0x00984	SessionId->0	System Process	ctfmon.exe
	No.027: Parent: 0x004bc	Child: 0x009b8	SessionId->0	System Process	BLINK.EXE
 この情報は本「IT談話館」の独自解析コードの実行結果のほんの一部です。この結果を見ると、Windows Vista以前は、すべてのプロセスが「SessionId->0」内で起動されていたことになります。また、この実行結果では、「System」と「smss.exe」の2つのプロセスがSessionIdを持たない特別な存在のように扱われていますが、実際には、「SessionId->0」と「System Process」という2つの特性を持っています(「別稿参照」)。

 セキュリティー的には、同一セッション空間をすべてのプロセスが共有していますから、いろいろな危険性が残されています。また、この情報は、Windowsシステムのスタートアップからのプロセス起動順を示していますから、「ユーザー名」と「パスワード」の入力画面を表示し、トークンを作成する「winlogon.exe」プロセスの起動順とその親プロセスに注目しておいてください。親プロセスが乗っ取られれば、その影響は子プロセスに及びます。Windowsバージョンが上がるに従い、セキュリティー向上への工夫からプロセス間の親子関係は複雑になっていきます(「別稿参照」)。

 Windows Vista以降に発売されたWindows 7環境ではどのように改善されたのでしょう。
4: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.22616.amd64fre.win7sp1_ldr.140303-2307
Machine Name:
Kernel base = 0xfffff800`03a54000 PsLoadedModuleList = 0xfffff800`03c98890
Debug session time: Sat Sep 20 09:58:01.081 2014 (UTC + 9:00)
System Uptime: 0 days 2:46:44.174


	No.001: Parent: 0x00000	Child: 0x00004	System
	No.002: Parent: 0x00004	Child: 0x001ac	smss.exe
	No.003: Parent: 0x001f4	Child: 0x0023c	SessionId->0	System Process	csrss.exe
	No.004: Parent: 0x001ac	Child: 0x002ac	SessionId->0	System Process	psxss.exe
	No.005: Parent: 0x002b4	Child: 0x002c0	SessionId->1	User Process	csrss.exe
	No.006: Parent: 0x001f4	Child: 0x002cc	SessionId->0	System Process	wininit.exe
	No.007: Parent: 0x002cc	Child: 0x002f8	SessionId->0	System Process	services.exe
	No.008: Parent: 0x002cc	Child: 0x00308	SessionId->0	System Process	lsass.exe
	No.009: Parent: 0x002cc	Child: 0x00310	SessionId->0	System Process	lsm.exe
	No.010: Parent: 0x002b4	Child: 0x00330	SessionId->1	User Process	winlogon.exe
	No.011: Parent: 0x002f8	Child: 0x003a4	SessionId->0	Service Process	svchost.exe
	No.012: Parent: 0x002f8	Child: 0x003f4	SessionId->0	Service Process	nvvsvc.exe
	No.013: Parent: 0x002f8	Child: 0x00184	SessionId->0	Service Process	svchost.exe
	No.014: Parent: 0x002f8	Child: 0x003e8	SessionId->0	Service Process	svchost.exe
	No.015: Parent: 0x002f8	Child: 0x00408	SessionId->0	Service Process	svchost.exe
	No.016: Parent: 0x002f8	Child: 0x00430	SessionId->0	Service Process	svchost.exe
	No.017: Parent: 0x002f8	Child: 0x00450	SessionId->0	Service Process	svchost.exe
	No.018: Parent: 0x003e8	Child: 0x004d8	SessionId->0	System Process	audiodg.exe
	No.019: Parent: 0x002f8	Child: 0x00524	SessionId->0	Service Process	CTAudSvc.exe
	No.020: Parent: 0x002f8	Child: 0x00578	SessionId->0	Service Process	svchost.exe
	No.021: Parent: 0x002f8	Child: 0x005ec	SessionId->0	Service Process	svchost.exe
	No.022: Parent: 0x003f4	Child: 0x00610	SessionId->1	User Process	nvxdsync.exe
	No.023: Parent: 0x003f4	Child: 0x00620	SessionId->1	User Process	nvvsvc.exe
	No.024: Parent: 0x002f8	Child: 0x00704	SessionId->0	Service Process	spoolsv.exe
	No.025: Parent: 0x002f8	Child: 0x00754	SessionId->0	Service Process	svchost.exe
	No.026: Parent: 0x002f8	Child: 0x007dc	SessionId->0	Service Process	armsvc.exe
	No.027: Parent: 0x002f8	Child: 0x00520	SessionId->0	Service Process	CLMSMonitorSer
	No.028: Parent: 0x002f8	Child: 0x005b8	SessionId->0	Service Process	CLMSServerPDVD
	No.029: Parent: 0x00520	Child: 0x00604	SessionId->0	System Process	CLMSServerPDVD
	No.030: Parent: 0x002f8	Child: 0x0053c	SessionId->0	Service Process	ekrn.exe
	No.031: Parent: 0x002f8	Child: 0x00720	SessionId->0	Service Process	svchost.exe
	No.032: Parent: 0x002f8	Child: 0x00724	SessionId->0	Service Process	LMS.exe
	No.033: Parent: 0x002f8	Child: 0x00824	SessionId->0	Service Process	mbae-svc.exe
	No.034: Parent: 0x002f8	Child: 0x00864	SessionId->0	Service Process	mdm.exe
	No.035: Parent: 0x00824	Child: 0x008dc	SessionId->0	System Process	mbae64.exe
	No.036: Parent: 0x002f8	Child: 0x009ec	SessionId->0	Service Process	sqlservr.exe
	No.037: Parent: 0x002f8	Child: 0x00a1c	SessionId->0	Service Process	nTuneService.e
	No.038: Parent: 0x002f8	Child: 0x00a98	SessionId->0	Service Process	o2flash.exe
	No.039: Parent: 0x002f8	Child: 0x00ab8	SessionId->0	Service Process	PnkBstrA.exe
	No.040: Parent: 0x002f8	Child: 0x00af4	SessionId->0	Service Process	Rebit-Pro-Svc.
	No.041: Parent: 0x002f8	Child: 0x00be0	SessionId->0	Service Process	TCPSVCS.EXE
	No.042: Parent: 0x002f8	Child: 0x00bf4	SessionId->0	Service Process	snmp.exe
	No.043: Parent: 0x002f8	Child: 0x00784	SessionId->0	Service Process	svchost.exe
	No.044: Parent: 0x002f8	Child: 0x00a10	SessionId->0	Service Process	ThpSrv.exe
	No.045: Parent: 0x002f8	Child: 0x00ab4	SessionId->0	Service Process	TODDSrv.exe
	No.046: Parent: 0x002f8	Child: 0x00c18	SessionId->0	Service Process	TosCoSrv.exe
	No.047: Parent: 0x002f8	Child: 0x00c7c	SessionId->0	Service Process	TecoService.ex
	No.048: Parent: 0x002f8	Child: 0x00cac	SessionId->0	Service Process	UNS.exe
	No.049: Parent: 0x002f8	Child: 0x00cc4	SessionId->0	Service Process	svchost.exe
	No.050: Parent: 0x002f8	Child: 0x00cd8	SessionId->0	Service Process	svchost.exe
	No.051: Parent: 0x002f8	Child: 0x00d00	SessionId->0	Service Process	WLIDSVC.EXE
	No.052: Parent: 0x002f8	Child: 0x00d78	SessionId->0	Service Process	SearchIndexer.
	No.053: Parent: 0x00d00	Child: 0x00db0	SessionId->0	System Process	WLIDSVCM.EXE
	No.054: Parent: 0x002f8	Child: 0x00e08	SessionId->0	Service Process	nfsclnt.exe
	No.055: Parent: 0x003a4	Child: 0x00f78	SessionId->0	System Process	WmiPrvSE.exe
	No.056: Parent: 0x002f8	Child: 0x01044	SessionId->0	Service Process	svchost.exe
	No.057: Parent: 0x00408	Child: 0x010e8	SessionId->0	System Process	WUDFHost.exe
	No.058: Parent: 0x003a4	Child: 0x01228	SessionId->0	System Process	WmiPrvSE.exe
	No.059: Parent: 0x002f8	Child: 0x01354	SessionId->1	User Process	taskhost.exe
	No.060: Parent: 0x00408	Child: 0x013dc	SessionId->1	User Process	dwm.exe
	No.061: Parent: 0x013d4	Child: 0x013e4	SessionId->1	User Process	explorer.exe
	No.062: Parent: 0x00a1c	Child: 0x010d8	SessionId->1	User Process	nTuneCmd.exe
	No.063: Parent: 0x013e4	Child: 0x01174	SessionId->1	User Process	SynTPEnh.exe
	No.064: Parent: 0x003a4	Child: 0x01180	SessionId->1	User Process	explorer.exe
	No.065: Parent: 0x013e4	Child: 0x009dc	SessionId->1	User Process	TPwrMain.exe
	No.066: Parent: 0x013e4	Child: 0x00d08	SessionId->1	User Process	SmoothView.exe
	No.067: Parent: 0x013e4	Child: 0x00740	SessionId->1	User Process	TCrdMain.exe
	No.068: Parent: 0x01174	Child: 0x012a8	SessionId->1	User Process	SynTPHelper.ex
	No.069: Parent: 0x013e4	Child: 0x012ac	SessionId->1	User Process	Teco.exe
	No.070: Parent: 0x013e4	Child: 0x01008	SessionId->1	User Process	ThpSrv.exe
	No.071: Parent: 0x00740	Child: 0x01384	SessionId->1	User Process	TCrdKBB.exe
	No.072: Parent: 0x013e4	Child: 0x00640	SessionId->1	User Process	TosNcCore.exe
	No.073: Parent: 0x013e4	Child: 0x007e4	SessionId->1	User Process	TosReelTimeMon
	No.074: Parent: 0x013e4	Child: 0x00ae0	SessionId->1	User Process	HDMICtrlMan.ex
	No.075: Parent: 0x013e4	Child: 0x012b8	SessionId->1	User Process	XBoxStat.exe
	No.076: Parent: 0x002f8	Child: 0x012b4	SessionId->0	Service Process	wmpnetwk.exe
	No.077: Parent: 0x00974	Child: 0x001e8	SessionId->1	User Process	SmartAudio.exe
	No.078: Parent: 0x013e4	Child: 0x01018	SessionId->1	User Process	DashUI.exe
	No.079: Parent: 0x002f8	Child: 0x00538	SessionId->0	Service Process	svchost.exe
	No.080: Parent: 0x00450	Child: 0x01450	SessionId->1	User Process	taskeng.exe
	No.081: Parent: 0x01450	Child: 0x0148c	SessionId->1	User Process	NDSTray.exe
	No.082: Parent: 0x00ae0	Child: 0x014d4	SessionId->1	User Process	HCMSoundChange
	No.083: Parent: 0x013e4	Child: 0x01560	SessionId->1	User Process	LCore.exe
	No.084: Parent: 0x013e4	Child: 0x0156c	SessionId->1	User Process	rundll32.exe
	No.085: Parent: 0x013e4	Child: 0x01574	SessionId->1	User Process	rundll32.exe
	No.086: Parent: 0x013e4	Child: 0x0157c	SessionId->1	User Process	egui.exe
	No.087: Parent: 0x013e4	Child: 0x017b0	SessionId->1	User Process	SkyDrive.exe
	No.088: Parent: 0x013e4	Child: 0x017d0	SessionId->1	User Process	sidebar.exe
	No.089: Parent: 0x013e4	Child: 0x017e0	SessionId->1	User Process	Power2GoExpres
	No.090: Parent: 0x013e4	Child: 0x00df4	SessionId->1	User Process	TosBtMng.exe
	No.091: Parent: 0x003a4	Child: 0x01448	SessionId->0	System Process	dllhost.exe
	No.092: Parent: 0x001e4	Child: 0x01728	SessionId->1	User Process	IAStorIcon.exe
	No.093: Parent: 0x001e4	Child: 0x01744	SessionId->1	User Process	TWebCamera.exe
	No.094: Parent: 0x013e4	Child: 0x0120c	SessionId->1	User Process	ONENOTEM.EXE
	No.095: Parent: 0x002f8	Child: 0x016d4	SessionId->0	Service Process	CFIWmxSvcs64.e
	No.096: Parent: 0x001e4	Child: 0x01530	SessionId->1	User Process	ToshibaService
	No.097: Parent: 0x001e4	Child: 0x00c34	SessionId->1	User Process	VolPanlu.exe
	No.098: Parent: 0x001e4	Child: 0x0180c	SessionId->1	User Process	SBRecon.exe
	No.099: Parent: 0x001e4	Child: 0x01820	SessionId->1	User Process	PowerDVD13Agen
	No.100: Parent: 0x001e4	Child: 0x019a4	SessionId->1	User Process	mbae.exe
	No.101: Parent: 0x001e4	Child: 0x01b1c	SessionId->1	User Process	rundll32.exe
	No.102: Parent: 0x001e4	Child: 0x01a18	SessionId->1	User Process	jusched.exe
	No.103: Parent: 0x002f8	Child: 0x01a98	SessionId->0	Service Process	TosBtSrv.exe
	No.104: Parent: 0x002f8	Child: 0x01bf0	SessionId->0	Service Process	CFSvcs.exe
	No.105: Parent: 0x002f8	Child: 0x0147c	SessionId->0	Service Process	AL6Licensing.e
	No.106: Parent: 0x002f8	Child: 0x01b08	SessionId->0	Service Process	CTAELicensing.
	No.107: Parent: 0x002f8	Child: 0x01aec	SessionId->0	Service Process	DkService.exe
	No.108: Parent: 0x002f8	Child: 0x01a14	SessionId->0	Service Process	TPCHSrv.exe
	No.109: Parent: 0x002f8	Child: 0x01830	SessionId->0	Service Process	TosSmartSrv.ex
	No.110: Parent: 0x00444	Child: 0x01ca8	SessionId->1	User Process	TosSENotify.ex
	No.111: Parent: 0x00394	Child: 0x01ddc	SessionId->1	User Process	TPCHWMsg.exe
	No.112: Parent: 0x0148c	Child: 0x01e80	SessionId->1	User Process	CFSwMgr.exe
	No.113: Parent: 0x00df4	Child: 0x01ec0	SessionId->1	User Process	TosA2dp.exe
	No.114: Parent: 0x002f8	Child: 0x01f0c	SessionId->0	Service Process	TurboBoost.exe
	No.115: Parent: 0x01c90	Child: 0x01f20	SessionId->0	System Process	GoogleUpdate.e
	No.116: Parent: 0x002f8	Child: 0x01fd0	SessionId->0	Service Process	IAStorDataMgrS
	No.117: Parent: 0x01f20	Child: 0x01fe4	SessionId->0	System Process	GoogleCrashHan
	No.118: Parent: 0x00df4	Child: 0x01c78	SessionId->1	User Process	TosBtHid.exe
	No.119: Parent: 0x01f20	Child: 0x01bec	SessionId->0	System Process	GoogleCrashHan
	No.120: Parent: 0x00df4	Child: 0x01ccc	SessionId->1	User Process	TosBtHSP.exe
	No.121: Parent: 0x002f8	Child: 0x01e94	SessionId->0	Service Process	PresentationFo
	No.122: Parent: 0x002f8	Child: 0x0216c	SessionId->0	Service Process	TMachInfo.exe
	No.123: Parent: 0x00824	Child: 0x018b4	SessionId->0	System Process	mbae64.exe
	No.124: Parent: 0x00824	Child: 0x018f0	SessionId->0	System Process	mbae64.exe
	No.125: Parent: 0x021b8	Child: 0x02108	SessionId->1	User Process	Arc.exe
	No.126: Parent: 0x02108	Child: 0x02004	SessionId->1	User Process	ArcOSBrowser.e
	No.127: Parent: 0x0192c	Child: 0x00d50	SessionId->1	User Process	crypticError.e
	No.128: Parent: 0x01178	Child: 0x01948	SessionId->1	User Process	iexplore.exe
	No.129: Parent: 0x01948	Child: 0x01a34	SessionId->1	User Process	iexplore.exe
	No.130: Parent: 0x01948	Child: 0x023a0	SessionId->1	User Process	iexplore.exe
	No.131: Parent: 0x014e4	Child: 0x0234c	SessionId->1	User Process	crypticError.e
	No.132: Parent: 0x01f8c	Child: 0x017ec	SessionId->1	User Process	GameClient.exe
	No.133: Parent: 0x017ec	Child: 0x01c58	SessionId->1	User Process	ArcOSOverlay.e
 ご覧のように、動作中のプロセスは、セッション単位で分離されています。「winlogon.exe」プロセスの親プロセスは、XP時代の「smss.exe」プロセスではなく、正体不明のプロセス「0x002b4」となっています。このようなセキュリティー向上策は、Windows 8.1でもそのまま継承されるのでしょうか。
2: kd> vertarget
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17238.amd64fre.winblue_gdr.140723-2018
Machine Name:
Kernel base = 0xfffff801`6868c000 PsLoadedModuleList = 0xfffff801`68956350
Debug session time: Thu Oct  9 00:34:44.270 2014 (UTC + 9:00)
System Uptime: 0 days 13:38:52.140


	No.001: Parent: 0x00000	Child: 0x00004	System
	No.002: Parent: 0x00004	Child: 0x00150	smss.exe
	No.003: Parent: 0x001f4	Child: 0x00208	SessionId->0	System Process	csrss.exe
	No.004: Parent: 0x001f4	Child: 0x00288	SessionId->0	System Process	wininit.exe
	No.005: Parent: 0x00288	Child: 0x002f4	SessionId->0	System Process	services.exe
	No.006: Parent: 0x00288	Child: 0x002fc	SessionId->0	System Process	lsass.exe
	No.007: Parent: 0x002f4	Child: 0x00354	SessionId->0	Service Process	svchost.exe
	No.008: Parent: 0x002f4	Child: 0x00388	SessionId->0	Service Process	svchost.exe
	No.009: Parent: 0x002f4	Child: 0x00124	SessionId->0	Service Process	nvvsvc.exe
	No.010: Parent: 0x002f4	Child: 0x00184	SessionId->0	Service Process	svchost.exe
	No.011: Parent: 0x002f4	Child: 0x002bc	SessionId->0	Service Process	svchost.exe
	No.012: Parent: 0x002f4	Child: 0x00398	SessionId->0	Service Process	svchost.exe
	No.013: Parent: 0x002f4	Child: 0x00424	SessionId->0	Service Process	svchost.exe
	No.014: Parent: 0x002f4	Child: 0x004bc	SessionId->0	Service Process	svchost.exe
	No.015: Parent: 0x002f4	Child: 0x0050c	SessionId->0	Service Process	AsLdrSrv.exe
	No.016: Parent: 0x002f4	Child: 0x00558	SessionId->0	Service Process	GFNEXSrv.exe
	No.017: Parent: 0x00424	Child: 0x00598	SessionId->0	System Process	wlanext.exe
	No.018: Parent: 0x00598	Child: 0x005a0	SessionId->0	System Process	conhost.exe
	No.019: Parent: 0x002f4	Child: 0x005f4	SessionId->0	Service Process	spoolsv.exe
	No.020: Parent: 0x002f4	Child: 0x00614	SessionId->0	Service Process	svchost.exe
	No.021: Parent: 0x002f4	Child: 0x00630	SessionId->0	Service Process	svchost.exe
	No.022: Parent: 0x002f4	Child: 0x006f0	SessionId->0	Service Process	armsvc.exe
	No.023: Parent: 0x002f4	Child: 0x0070c	SessionId->0	Service Process	AppleMobileDev
	No.024: Parent: 0x002f4	Child: 0x00734	SessionId->0	Service Process	InsOnSrv.exe
	No.025: Parent: 0x002f4	Child: 0x0075c	SessionId->0	Service Process	mDNSResponder.
	No.026: Parent: 0x002f4	Child: 0x0077c	SessionId->0	Service Process	officeclicktor
	No.027: Parent: 0x002f4	Child: 0x007b4	SessionId->0	Service Process	DptfParticipan
	No.028: Parent: 0x002f4	Child: 0x007e8	SessionId->0	Service Process	DptfPolicyConf
	No.029: Parent: 0x002f4	Child: 0x0040c	SessionId->0	Service Process	DptfPolicyCrit
	No.030: Parent: 0x00424	Child: 0x00434	SessionId->0	System Process	dasHost.exe
	No.031: Parent: 0x002f4	Child: 0x00484	SessionId->0	Service Process	DptfPolicyLpmS
	No.032: Parent: 0x002f4	Child: 0x00518	SessionId->0	Service Process	EvtEng.exe
	No.033: Parent: 0x002f4	Child: 0x005e0	SessionId->0	Service Process	GfExperienceSe
	No.034: Parent: 0x002f4	Child: 0x00830	SessionId->0	Service Process	NIS.exe
	No.035: Parent: 0x002f4	Child: 0x00894	SessionId->0	Service Process	NvNetworkServi
	No.036: Parent: 0x002f4	Child: 0x0092c	SessionId->0	Service Process	nvstreamsvc.ex
	No.037: Parent: 0x002f4	Child: 0x00968	SessionId->0	Service Process	RegSrvc.exe
	No.038: Parent: 0x002f4	Child: 0x00980	SessionId->0	Service Process	svchost.exe
	No.039: Parent: 0x002f4	Child: 0x009a8	SessionId->0	Service Process	ZeroConfigServ
	No.040: Parent: 0x00354	Child: 0x009e4	SessionId->0	System Process	unsecapp.exe
	No.041: Parent: 0x00354	Child: 0x00a50	SessionId->0	System Process	WmiPrvSE.exe
	No.042: Parent: 0x002f4	Child: 0x00b68	SessionId->0	Service Process	svchost.exe
	No.043: Parent: 0x0092c	Child: 0x00c10	SessionId->0	System Process	nvstreamsvc.ex
	No.044: Parent: 0x00c10	Child: 0x00c18	SessionId->0	System Process	conhost.exe
	No.045: Parent: 0x00734	Child: 0x00a28	SessionId->1	User Process	InsOnWMI.exe
	No.046: Parent: 0x002f4	Child: 0x01154	SessionId->0	Service Process	SearchIndexer.
	No.047: Parent: 0x008e4	Child: 0x011e8	SessionId->0	System Process	GoogleCrashHan
	No.048: Parent: 0x008e4	Child: 0x0128c	SessionId->0	System Process	GoogleCrashHan
	No.049: Parent: 0x002f4	Child: 0x01318	SessionId->0	Service Process	devmonsrv.exe
	No.050: Parent: 0x002f4	Child: 0x0137c	SessionId->0	Service Process	obexsrv.exe
	No.051: Parent: 0x002f4	Child: 0x013e0	SessionId->0	Service Process	IntelMeFWServi
	No.052: Parent: 0x002f4	Child: 0x004d4	SessionId->0	Service Process	jhi_service.ex
	No.053: Parent: 0x002f4	Child: 0x006bc	SessionId->0	Service Process	LMS.exe
	No.054: Parent: 0x002f4	Child: 0x00ca8	SessionId->0	Service Process	wmpnetwk.exe
	No.055: Parent: 0x002f4	Child: 0x015b8	SessionId->0	Service Process	iPodService.ex
	No.056: Parent: 0x01ccc	Child: 0x00130	SessionId->2	User Process	csrss.exe
	No.057: Parent: 0x01ccc	Child: 0x00af4	SessionId->2	User Process	winlogon.exe
	No.058: Parent: 0x00af4	Child: 0x00f7c	SessionId->2	User Process	dwm.exe
	No.059: Parent: 0x00124	Child: 0x0175c	SessionId->2	User Process	nvxdsync.exe
	No.060: Parent: 0x00124	Child: 0x00748	SessionId->2	User Process	nvvsvc.exe
	No.061: Parent: 0x00424	Child: 0x0149c	SessionId->2	User Process	TabTip.exe
	No.062: Parent: 0x0050c	Child: 0x01e28	SessionId->2	User Process	HControl.exe
	No.063: Parent: 0x00734	Child: 0x01570	SessionId->2	User Process	InsOnWMI.exe
	No.064: Parent: 0x00830	Child: 0x00fb0	SessionId->2	User Process	NIS.exe
	No.065: Parent: 0x002bc	Child: 0x00868	SessionId->2	User Process	taskhostex.exe
	No.066: Parent: 0x002bc	Child: 0x019a8	SessionId->2	User Process	BatteryLife.ex
	No.067: Parent: 0x002bc	Child: 0x00d98	SessionId->2	User Process	USBChargerPlus
	No.068: Parent: 0x002bc	Child: 0x0134c	SessionId->2	User Process	ASUS Console S
	No.069: Parent: 0x002bc	Child: 0x01994	SessionId->2	User Process	AsPatchTouchPa
	No.070: Parent: 0x002bc	Child: 0x01688	SessionId->2	User Process	ACMON.exe
	No.071: Parent: 0x002bc	Child: 0x01dcc	SessionId->2	User Process	ColorUService.
	No.072: Parent: 0x01e28	Child: 0x011a8	SessionId->2	User Process	KBFiltr.exe
	No.073: Parent: 0x00a44	Child: 0x018cc	SessionId->2	User Process	ATKOSD2.exe
	No.074: Parent: 0x01974	Child: 0x01a14	SessionId->2	User Process	DMedia.exe
	No.075: Parent: 0x00f70	Child: 0x000f8	SessionId->2	User Process	NvBackend.exe
	No.076: Parent: 0x01dd8	Child: 0x01d40	SessionId->2	User Process	explorer.exe
	No.077: Parent: 0x00354	Child: 0x01920	SessionId->2	User Process	livecomm.exe
	No.078: Parent: 0x00354	Child: 0x011a4	SessionId->2	User Process	SkyDrive.exe
	No.079: Parent: 0x00424	Child: 0x00b2c	SessionId->2	User Process	TabTip.exe
	No.080: Parent: 0x00b2c	Child: 0x0086c	SessionId->2	User Process	TabTip32.exe
	No.081: Parent: 0x0175c	Child: 0x00348	SessionId->2	User Process	nvtray.exe
	No.082: Parent: 0x00354	Child: 0x01250	SessionId->2	User Process	RuntimeBroker.
	No.083: Parent: 0x00bb4	Child: 0x0160c	SessionId->2	User Process	AsusTPLoader.e
	No.084: Parent: 0x0160c	Child: 0x01b5c	SessionId->2	User Process	QuickGesture64
	No.085: Parent: 0x0160c	Child: 0x00950	SessionId->2	User Process	QuickGesture.e
	No.086: Parent: 0x0160c	Child: 0x00ba4	SessionId->2	User Process	AsusTPCenter.e
	No.087: Parent: 0x00ba4	Child: 0x01b7c	SessionId->2	User Process	AsusTPHelper.e
	No.088: Parent: 0x01e34	Child: 0x00fc8	SessionId->2	User Process	igfxpers.exe
	No.089: Parent: 0x00354	Child: 0x0147c	SessionId->2	User Process	igfxsrvc.exe
	No.090: Parent: 0x01d40	Child: 0x00c04	SessionId->2	User Process	igfxtray.exe
	No.091: Parent: 0x01d40	Child: 0x004ec	SessionId->2	User Process	hkcmd.exe
	No.092: Parent: 0x01d40	Child: 0x01c44	SessionId->2	User Process	DptfPolicyLpmS
	No.093: Parent: 0x01d40	Child: 0x016d0	SessionId->2	User Process	rundll32.exe
	No.094: Parent: 0x01d40	Child: 0x01140	SessionId->2	User Process	chrome.exe
	No.095: Parent: 0x01d40	Child: 0x00e78	SessionId->2	User Process	googledrivesyn
	No.096: Parent: 0x01d40	Child: 0x00a24	SessionId->2	User Process	ScanToPCActiva
	No.097: Parent: 0x01d40	Child: 0x006c4	SessionId->2	User Process	GROOVE.EXE
	No.098: Parent: 0x01140	Child: 0x01468	SessionId->2	User Process	chrome.exe
	No.099: Parent: 0x01280	Child: 0x01050	SessionId->2	User Process	PDVD10Serv.exe
	No.100: Parent: 0x01140	Child: 0x0185c	SessionId->2	User Process	chrome.exe
	No.101: Parent: 0x01140	Child: 0x018d0	SessionId->2	User Process	chrome.exe
	No.102: Parent: 0x01140	Child: 0x00fc4	SessionId->2	User Process	chrome.exe
	No.103: Parent: 0x01140	Child: 0x00eb4	SessionId->2	User Process	chrome.exe
	No.104: Parent: 0x01140	Child: 0x01680	SessionId->2	User Process	chrome.exe
	No.105: Parent: 0x01140	Child: 0x01ec8	SessionId->2	User Process	chrome.exe
	No.106: Parent: 0x01140	Child: 0x013f4	SessionId->2	User Process	chrome.exe
	No.107: Parent: 0x01140	Child: 0x00f68	SessionId->2	User Process	chrome.exe
	No.108: Parent: 0x01140	Child: 0x00624	SessionId->2	User Process	chrome.exe
	No.109: Parent: 0x01140	Child: 0x0139c	SessionId->2	User Process	chrome.exe
	No.110: Parent: 0x01280	Child: 0x002d8	SessionId->2	User Process	jusched.exe
	No.111: Parent: 0x01140	Child: 0x0177c	SessionId->2	User Process	chrome.exe
	No.112: Parent: 0x01140	Child: 0x010d8	SessionId->2	User Process	chrome.exe
	No.113: Parent: 0x01140	Child: 0x01e1c	SessionId->2	User Process	chrome.exe
	No.114: Parent: 0x01140	Child: 0x00298	SessionId->2	User Process	chrome.exe
	No.115: Parent: 0x01280	Child: 0x01d28	SessionId->2	User Process	iTunesHelper.e
	No.116: Parent: 0x01280	Child: 0x00824	SessionId->2	User Process	hpwuschd2.exe
	No.117: Parent: 0x01140	Child: 0x0157c	SessionId->2	User Process	cmd.exe
	No.118: Parent: 0x0157c	Child: 0x01ecc	SessionId->2	User Process	conhost.exe
	No.119: Parent: 0x0157c	Child: 0x0108c	SessionId->2	User Process	coNatHst.exe
	No.120: Parent: 0x01140	Child: 0x01f20	SessionId->2	User Process	nacl64.exe
	No.121: Parent: 0x01f20	Child: 0x0187c	SessionId->2	User Process	nacl64.exe
	No.122: Parent: 0x00e78	Child: 0x010b8	SessionId->2	User Process	googledrivesyn
	No.123: Parent: 0x002bc	Child: 0x01af8	SessionId->2	User Process	RAVBg64.exe
	No.124: Parent: 0x002bc	Child: 0x01730	SessionId->2	User Process	RAVCpl64.exe
	No.125: Parent: 0x00354	Child: 0x00a34	SessionId->2	User Process	glcnd.exe
	No.126: Parent: 0x00354	Child: 0x0035c	SessionId->2	User Process	SettingSyncHos
	No.127: Parent: 0x01140	Child: 0x01734	SessionId->2	User Process	chrome.exe
	No.128: Parent: 0x01140	Child: 0x01e80	SessionId->2	User Process	chrome.exe
	No.129: Parent: 0x01140	Child: 0x007f8	SessionId->2	User Process	chrome.exe
	No.130: Parent: 0x006c4	Child: 0x00620	SessionId->2	User Process	MSOSYNC.EXE
	No.131: Parent: 0x01154	Child: 0x01f98	SessionId->0	System Process	SearchProtocol
	No.132: Parent: 0x01154	Child: 0x01d00	SessionId->0	System Process	SearchFilterHo
	No.133: Parent: 0x00184	Child: 0x00e14	SessionId->0	System Process	audiodg.exe
	No.134: Parent: 0x00354	Child: 0x01840	SessionId->2	User Process	WWAHost.exe
	No.135: Parent: 0x00354	Child: 0x012e4	SessionId->2	User Process	BackgroundTran
 セッション単位でのプロセスの分離が行われ、Windows 7の解析結果と比較しますと、起動順とプロセス間の親子関係がさらに複雑になっています。最新のWindows 10ではどうなっているでしょう。
1: kd> vertarget
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16393.amd64fre.th1_st1.150717-1719
Machine Name:
Kernel base = 0xfffff802`2941a000 PsLoadedModuleList = 0xfffff802`2973f030
Debug session time: Mon Aug  3 17:16:15.086 2015 (UTC + 9:00)
System Uptime: 0 days 1:19:12.780


	No.001: Parent: 0x00000	Child: 0x00004	System
	No.002: Parent: 0x00004	Child: 0x00144	smss.exe
	No.003: Parent: 0x001f0	Child: 0x001f8	SessionId->0	System Process	csrss.exe
	No.004: Parent: 0x001f0	Child: 0x0024c	SessionId->0	System Process	wininit.exe
	No.005: Parent: 0x0024c	Child: 0x002b4	SessionId->0	System Process	services.exe
	No.006: Parent: 0x0024c	Child: 0x002c8	SessionId->0	System Process	lsass.exe
	No.007: Parent: 0x002b4	Child: 0x00318	SessionId->0	Service Process	svchost.exe
	No.008: Parent: 0x002b4	Child: 0x00350	SessionId->0	Service Process	svchost.exe
	No.009: Parent: 0x002b4	Child: 0x003a0	SessionId->0	Service Process	sppsvc.exe
	No.010: Parent: 0x002b4	Child: 0x001b0	SessionId->0	Service Process	svchost.exe
	No.011: Parent: 0x002b4	Child: 0x00130	SessionId->0	Service Process	svchost.exe
	No.012: Parent: 0x002b4	Child: 0x00008	SessionId->0	Service Process	svchost.exe
	No.013: Parent: 0x002b4	Child: 0x00448	SessionId->0	Service Process	svchost.exe
	No.014: Parent: 0x002b4	Child: 0x00484	SessionId->0	Service Process	svchost.exe
	No.015: Parent: 0x002b4	Child: 0x00504	SessionId->0	Service Process	svchost.exe
	No.016: Parent: 0x002b4	Child: 0x005fc	SessionId->0	Service Process	spoolsv.exe
	No.017: Parent: 0x002b4	Child: 0x006f0	SessionId->0	Service Process	svchost.exe
	No.018: Parent: 0x002b4	Child: 0x00728	SessionId->0	Service Process	svchost.exe
	No.019: Parent: 0x002b4	Child: 0x00764	SessionId->0	Service Process	armsvc.exe
	No.020: Parent: 0x002b4	Child: 0x007a8	SessionId->0	Service Process	svchost.exe
	No.021: Parent: 0x002b4	Child: 0x007e4	SessionId->0	Service Process	mqsvc.exe
	No.022: Parent: 0x002b4	Child: 0x00704	SessionId->0	Service Process	TosCoSrv.exe
	No.023: Parent: 0x002b4	Child: 0x00518	SessionId->0	Service Process	msdtc.exe
	No.024: Parent: 0x002b4	Child: 0x00994	SessionId->0	Service Process	dllhost.exe
	No.025: Parent: 0x00318	Child: 0x00378	SessionId->0	System Process	dllhost.exe
	No.026: Parent: 0x002b4	Child: 0x003fc	SessionId->0	Service Process	MsMpEng.exe
	No.027: Parent: 0x002b4	Child: 0x00a90	SessionId->0	Service Process	SearchIndexer.
	No.028: Parent: 0x002b4	Child: 0x00bb0	SessionId->0	Service Process	VSSVC.exe
	No.029: Parent: 0x002b4	Child: 0x00b50	SessionId->0	Service Process	svchost.exe
	No.030: Parent: 0x002b4	Child: 0x00674	SessionId->0	Service Process	svchost.exe
	No.031: Parent: 0x002b4	Child: 0x0092c	SessionId->0	Service Process	svchost.exe
	No.032: Parent: 0x01a80	Child: 0x003dc	SessionId->1	User Process	csrss.exe
	No.033: Parent: 0x01a80	Child: 0x0140c	SessionId->1	User Process	winlogon.exe
	No.034: Parent: 0x0140c	Child: 0x01cc4	SessionId->1	User Process	dwm.exe
	No.035: Parent: 0x00130	Child: 0x00b70	SessionId->1	User Process	sihost.exe
	No.036: Parent: 0x00130	Child: 0x00e7c	SessionId->1	User Process	taskhostw.exe
	No.037: Parent: 0x0140c	Child: 0x00d3c	SessionId->1	User Process	userinit.exe
	No.038: Parent: 0x00d3c	Child: 0x00614	SessionId->1	User Process	explorer.exe
	No.039: Parent: 0x00318	Child: 0x014a4	SessionId->1	User Process	RuntimeBroker.
	No.040: Parent: 0x00318	Child: 0x00464	SessionId->1	User Process	SearchUI.exe
	No.041: Parent: 0x00614	Child: 0x011bc	SessionId->1	User Process	RAVCpl64.exe
	No.042: Parent: 0x00614	Child: 0x010dc	SessionId->1	User Process	TPwrMain.exe
	No.043: Parent: 0x00614	Child: 0x018f4	SessionId->1	User Process	SmoothView.exe
	No.044: Parent: 0x00614	Child: 0x011c0	SessionId->1	User Process	TCrdMain.exe
	No.045: Parent: 0x00614	Child: 0x00ce4	SessionId->1	User Process	OneDrive.exe
	No.046: Parent: 0x002b4	Child: 0x016a8	SessionId->1	User Process	svchost.exe
	No.047: Parent: 0x00318	Child: 0x01b94	SessionId->1	User Process	ImeBroker.exe
	No.048: Parent: 0x00318	Child: 0x01d60	SessionId->1	User Process	ApplicationFra
	No.049: Parent: 0x00318	Child: 0x00a60	SessionId->1	User Process	ShellExperienc
	No.050: Parent: 0x00008	Child: 0x01d4c	SessionId->0	System Process	audiodg.exe
	No.051: Parent: 0x00614	Child: 0x013d0	SessionId->1	User Process	thunderbird.ex
	No.052: Parent: 0x00318	Child: 0x01434	SessionId->0	System Process	WmiPrvSE.exe
	No.053: Parent: 0x00318	Child: 0x011fc	SessionId->1	User Process	InstallAgent.e
	No.054: Parent: 0x01564	Child: 0x01be0	SessionId->1	User Process	chrome.exe
	No.055: Parent: 0x00614	Child: 0x01bf0	SessionId->1	User Process	NotMyfault.exe
	No.056: Parent: 0x00a90	Child: 0x01318	SessionId->1	User Process	SearchProtocol
	No.057: Parent: 0x00a90	Child: 0x01f20	SessionId->0	System Process	SearchFilterHo
	No.058: Parent: 0x00a90	Child: 0x01f28	SessionId->0	System Process	SearchProtocol
 この結果を見ると、Windows 7時代とほとんど変化がないように見えます。ところが、新しいビルド番号を持つWindows 10環境では、2000年初頭からのセキュリティー投資効果が次のように反映されています。
1: kd> vertarget
Windows 10 Kernel Version 10586 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.162.amd64fre.th2_release_sec.160223-1728
Machine Name:
Kernel base = 0xfffff800`40c7e000 PsLoadedModuleList = 0xfffff800`40f5ccd0
Debug session time: Wed Mar 23 08:01:18.208 2016 (UTC + 9:00)
System Uptime: 0 days 15:55:12.887


	No.001: Parent: 0x00000	Child: 0x00004	System
	No.002: Parent: 0x00004	Child: 0x0014c	smss.exe
	No.003: Parent: 0x001d4	Child: 0x001e0	SessionId->0	System Process	csrss.exe
	No.004: Parent: 0x0014c	Child: 0x00220	SessionId->1	User Process	smss.exe
	No.005: Parent: 0x001d4	Child: 0x00228	SessionId->0	System Process	wininit.exe
	No.006: Parent: 0x00220	Child: 0x00238	SessionId->1	User Process	csrss.exe
	No.007: Parent: 0x00228	Child: 0x0026c	SessionId->0	System Process	services.exe
	No.008: Parent: 0x00228	Child: 0x00274	SessionId->0	System Process	lsass.exe
	No.009: Parent: 0x00220	Child: 0x002b4	SessionId->1	User Process	winlogon.exe
	No.010: Parent: 0x0026c	Child: 0x002f8	SessionId->0	Service Process	svchost.exe
	No.011: Parent: 0x0026c	Child: 0x00324	SessionId->0	Service Process	svchost.exe
	No.012: Parent: 0x002b4	Child: 0x003b4	SessionId->1	User Process	dwm.exe
	No.013: Parent: 0x0026c	Child: 0x00044	SessionId->0	Service Process	svchost.exe
	No.014: Parent: 0x0026c	Child: 0x00164	SessionId->0	Service Process	svchost.exe
        [---]
 この結果をご覧になる際には、「smss.exe」(セッションマネージャー)と「winlogon.exe」プロセスの親子関係に着目されるとよいでしょう。この2つのプロセス間の関係はWindows XP時代の考え方に逆戻りした(「smss.exe」が「winlogon.exe」を起動する)印象を受けますが、実際には、「smss.exe」(セッションマネージャー)プロセスの親子関係と動作仕様が設計変更され、サンドボックス化が進められています。このような短サイクルでのカーネル内部変更をつぶさに目撃すると、長期に渡るセキュリティー分野への投資効果が今後もカーネルレベルで大胆に、かつ、知らぬ間に実装されてくることを覚悟しないわけにまいりません。また、このようなきわめて重要なカーネル内部仕様の変更情報はタイミングよく公開されることはまず期待できない!、という点も認識しておくべきでしょう。



「Windowsメモリダンプ解析サービス」のご案内




ビジネス
Windows内部解析技術資料

Copyright©豊田孝 2004- 2020
本日は2020-01-29です。