本「
IT談話館」一般公開記事は、10年以上の開発実務経験を持つ上級Windowsエンジニアを想定しています。
公開技術レベルは、当館ビジネスに支障の出ない範囲に制限されています。
完全メモリダンプを解析すると、採取時点におけるシステム内部の「異様な動き」を検出・解析することができます。
「異様な動き」の中には、次の項目が含まれます。
- システムクラッシュ原因
- セキュリティー脅威
- システムパフォーマンスの低下
- 既存アプリの動作異常
Windows XP/7/8/10のセッションとプロセス
本「IT談話館」主筆の「豊田孝」はDKOM(Direct Kernel Object Manipulation)ベースの解析手法の第一人者であり、Windowsカーネル空間の解析分野では世界の先頭を走っています。
- Silo/Server Silo
- Job
- Session
- Protected Process
- Mandatory Integrity Control(MIC)
- Windows API(+CPU)
- CPU
Windowsシステムにおけるプロセスは、ユーザープロセス、システムプロセス、サービスプロセスの3種類に大別されます。システムプロセスとサービスプロセスは、Windows Vista以降、「セッション切り離し」によりセッション0内で起動され、他のセッション内で動作するユーザープロセスからアクセスされなくなります。
本稿では、このセッション切り離しに着目し、Windows XP/7/8/10それぞれの環境で採取されたカーネルメモリダンプを本「IT談話館」の独自コードで解析し、システムプロセス、サービスプロセス、および、ユーザープロセスの変遷を調査します。
まずは、Vista以降のWindows環境におけるシステムプロセス、サービスプロセス、および、ユーザープロセスを次のように定義しておきます。
- システムプロセスはセッション0内で動作し、SCMの子プロセスではない
- サービスプロセスはセッション0内で動作し、SCMの子プロセスである
- ユーザープロセスはセッション0以外のセッション内で動作し、SCMの子プロセスでもない
それでは、WindowsXP/7/8/10それぞれの環境で採取されたカーネルメモリダンプの解析結果を確認します。Windowsバージョンが上がるに従い、3種類のプロセス構成は激変していきます。Windows Vista以前に発売されていたWindows XPの解析結果から見てみます。
kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Machine Name:
Kernel base = 0x804d9000 PsLoadedModuleList = 0x8055c620
Debug session time: Wed Jun 4 19:50:12.855 2008 (UTC + 9:00)
System Uptime: 0 days 0:09:06.425
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x00198 smss.exe
No.003: Parent: 0x00198 Child: 0x001c8 SessionId->0 System Process csrss.exe
No.004: Parent: 0x00198 Child: 0x001e0 SessionId->0 System Process winlogon.exe
No.005: Parent: 0x001e0 Child: 0x0020c SessionId->0 System Process services.exe
No.006: Parent: 0x001e0 Child: 0x00218 SessionId->0 System Process lsass.exe
No.007: Parent: 0x0020c Child: 0x002d4 SessionId->0 Service Process svchost.exe
No.008: Parent: 0x0020c Child: 0x00314 SessionId->0 Service Process svchost.exe
No.009: Parent: 0x0020c Child: 0x00358 SessionId->0 Service Process svchost.exe
No.010: Parent: 0x0020c Child: 0x003a0 SessionId->0 Service Process blinksvc.exe
No.011: Parent: 0x0020c Child: 0x003d8 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002d4 Child: 0x00400 SessionId->0 System Process blinkrm.exe
No.013: Parent: 0x0020c Child: 0x00514 SessionId->0 Service Process spoolsv.exe
No.014: Parent: 0x0020c Child: 0x00560 SessionId->0 Service Process alg.exe
No.015: Parent: 0x0020c Child: 0x00598 SessionId->0 Service Process mdm.exe
No.016: Parent: 0x0020c Child: 0x005c0 SessionId->0 Service Process tcpsvcs.exe
No.017: Parent: 0x0020c Child: 0x005e0 SessionId->0 Service Process snmp.exe
No.018: Parent: 0x0020c Child: 0x00658 SessionId->0 Service Process wdfmgr.exe
No.019: Parent: 0x0020c Child: 0x006c8 SessionId->0 Service Process EEYEEVNT.exe
No.020: Parent: 0x00358 Child: 0x005a8 SessionId->0 System Process wuauclt.exe
No.021: Parent: 0x001bc Child: 0x004bc SessionId->0 System Process explorer.exe
No.022: Parent: 0x002d4 Child: 0x005d4 SessionId->0 System Process wmiprvse.exe
No.023: Parent: 0x004bc Child: 0x0095c SessionId->0 System Process hkcmd.exe
No.024: Parent: 0x004bc Child: 0x00964 SessionId->0 System Process jusched.exe
No.025: Parent: 0x004bc Child: 0x00970 SessionId->0 System Process reader_sl.exe
No.026: Parent: 0x004bc Child: 0x00984 SessionId->0 System Process ctfmon.exe
No.027: Parent: 0x004bc Child: 0x009b8 SessionId->0 System Process BLINK.EXE
この情報は本「IT談話館」の独自解析コードの実行結果のほんの一部です。この結果を見ると、Windows Vista以前は、すべてのプロセスが「SessionId->0」内で起動されていたことになります。また、この実行結果では、「System」と「smss.exe」の2つのプロセスがSessionIdを持たない特別な存在のように扱われていますが、実際には、「SessionId->0」と「System Process」という2つの特性を持っています(「別稿参照」)。
セキュリティー的には、同一セッション空間をすべてのプロセスが共有していますから、いろいろな危険性が残されています。また、この情報は、Windowsシステムのスタートアップからのプロセス起動順を示していますから、「ユーザー名」と「パスワード」の入力画面を表示し、トークンを作成する「winlogon.exe」プロセスの起動順とその親プロセスに注目しておいてください。親プロセスが乗っ取られれば、その影響は子プロセスに及びます。Windowsバージョンが上がるに従い、セキュリティー向上への工夫からプロセス間の親子関係は複雑になっていきます(「別稿参照」)。
Windows Vista以降に発売されたWindows 7環境ではどのように変更されたのかを見てみます。
4: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.22616.amd64fre.win7sp1_ldr.140303-2307
Machine Name:
Kernel base = 0xfffff800`03a54000 PsLoadedModuleList = 0xfffff800`03c98890
Debug session time: Sat Sep 20 09:58:01.081 2014 (UTC + 9:00)
System Uptime: 0 days 2:46:44.174
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x001ac smss.exe
No.003: Parent: 0x001f4 Child: 0x0023c SessionId->0 System Process csrss.exe
No.004: Parent: 0x001ac Child: 0x002ac SessionId->0 System Process psxss.exe
No.005: Parent: 0x002b4 Child: 0x002c0 SessionId->1 User Process csrss.exe
No.006: Parent: 0x001f4 Child: 0x002cc SessionId->0 System Process wininit.exe
No.007: Parent: 0x002cc Child: 0x002f8 SessionId->0 System Process services.exe
No.008: Parent: 0x002cc Child: 0x00308 SessionId->0 System Process lsass.exe
No.009: Parent: 0x002cc Child: 0x00310 SessionId->0 System Process lsm.exe
No.010: Parent: 0x002b4 Child: 0x00330 SessionId->1 User Process winlogon.exe
No.011: Parent: 0x002f8 Child: 0x003a4 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002f8 Child: 0x003f4 SessionId->0 Service Process nvvsvc.exe
No.013: Parent: 0x002f8 Child: 0x00184 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x002f8 Child: 0x003e8 SessionId->0 Service Process svchost.exe
No.015: Parent: 0x002f8 Child: 0x00408 SessionId->0 Service Process svchost.exe
No.016: Parent: 0x002f8 Child: 0x00430 SessionId->0 Service Process svchost.exe
No.017: Parent: 0x002f8 Child: 0x00450 SessionId->0 Service Process svchost.exe
No.018: Parent: 0x003e8 Child: 0x004d8 SessionId->0 System Process audiodg.exe
No.019: Parent: 0x002f8 Child: 0x00524 SessionId->0 Service Process CTAudSvc.exe
No.020: Parent: 0x002f8 Child: 0x00578 SessionId->0 Service Process svchost.exe
No.021: Parent: 0x002f8 Child: 0x005ec SessionId->0 Service Process svchost.exe
No.022: Parent: 0x003f4 Child: 0x00610 SessionId->1 User Process nvxdsync.exe
No.023: Parent: 0x003f4 Child: 0x00620 SessionId->1 User Process nvvsvc.exe
No.024: Parent: 0x002f8 Child: 0x00704 SessionId->0 Service Process spoolsv.exe
No.025: Parent: 0x002f8 Child: 0x00754 SessionId->0 Service Process svchost.exe
No.026: Parent: 0x002f8 Child: 0x007dc SessionId->0 Service Process armsvc.exe
No.027: Parent: 0x002f8 Child: 0x00520 SessionId->0 Service Process CLMSMonitorSer
No.028: Parent: 0x002f8 Child: 0x005b8 SessionId->0 Service Process CLMSServerPDVD
No.029: Parent: 0x00520 Child: 0x00604 SessionId->0 System Process CLMSServerPDVD
No.030: Parent: 0x002f8 Child: 0x0053c SessionId->0 Service Process ekrn.exe
No.031: Parent: 0x002f8 Child: 0x00720 SessionId->0 Service Process svchost.exe
No.032: Parent: 0x002f8 Child: 0x00724 SessionId->0 Service Process LMS.exe
No.033: Parent: 0x002f8 Child: 0x00824 SessionId->0 Service Process mbae-svc.exe
No.034: Parent: 0x002f8 Child: 0x00864 SessionId->0 Service Process mdm.exe
No.035: Parent: 0x00824 Child: 0x008dc SessionId->0 System Process mbae64.exe
No.036: Parent: 0x002f8 Child: 0x009ec SessionId->0 Service Process sqlservr.exe
No.037: Parent: 0x002f8 Child: 0x00a1c SessionId->0 Service Process nTuneService.e
No.038: Parent: 0x002f8 Child: 0x00a98 SessionId->0 Service Process o2flash.exe
No.039: Parent: 0x002f8 Child: 0x00ab8 SessionId->0 Service Process PnkBstrA.exe
No.040: Parent: 0x002f8 Child: 0x00af4 SessionId->0 Service Process Rebit-Pro-Svc.
No.041: Parent: 0x002f8 Child: 0x00be0 SessionId->0 Service Process TCPSVCS.EXE
No.042: Parent: 0x002f8 Child: 0x00bf4 SessionId->0 Service Process snmp.exe
No.043: Parent: 0x002f8 Child: 0x00784 SessionId->0 Service Process svchost.exe
No.044: Parent: 0x002f8 Child: 0x00a10 SessionId->0 Service Process ThpSrv.exe
No.045: Parent: 0x002f8 Child: 0x00ab4 SessionId->0 Service Process TODDSrv.exe
No.046: Parent: 0x002f8 Child: 0x00c18 SessionId->0 Service Process TosCoSrv.exe
No.047: Parent: 0x002f8 Child: 0x00c7c SessionId->0 Service Process TecoService.ex
No.048: Parent: 0x002f8 Child: 0x00cac SessionId->0 Service Process UNS.exe
No.049: Parent: 0x002f8 Child: 0x00cc4 SessionId->0 Service Process svchost.exe
No.050: Parent: 0x002f8 Child: 0x00cd8 SessionId->0 Service Process svchost.exe
No.051: Parent: 0x002f8 Child: 0x00d00 SessionId->0 Service Process WLIDSVC.EXE
No.052: Parent: 0x002f8 Child: 0x00d78 SessionId->0 Service Process SearchIndexer.
No.053: Parent: 0x00d00 Child: 0x00db0 SessionId->0 System Process WLIDSVCM.EXE
No.054: Parent: 0x002f8 Child: 0x00e08 SessionId->0 Service Process nfsclnt.exe
No.055: Parent: 0x003a4 Child: 0x00f78 SessionId->0 System Process WmiPrvSE.exe
No.056: Parent: 0x002f8 Child: 0x01044 SessionId->0 Service Process svchost.exe
No.057: Parent: 0x00408 Child: 0x010e8 SessionId->0 System Process WUDFHost.exe
No.058: Parent: 0x003a4 Child: 0x01228 SessionId->0 System Process WmiPrvSE.exe
No.059: Parent: 0x002f8 Child: 0x01354 SessionId->1 User Process taskhost.exe
No.060: Parent: 0x00408 Child: 0x013dc SessionId->1 User Process dwm.exe
No.061: Parent: 0x013d4 Child: 0x013e4 SessionId->1 User Process explorer.exe
No.062: Parent: 0x00a1c Child: 0x010d8 SessionId->1 User Process nTuneCmd.exe
No.063: Parent: 0x013e4 Child: 0x01174 SessionId->1 User Process SynTPEnh.exe
No.064: Parent: 0x003a4 Child: 0x01180 SessionId->1 User Process explorer.exe
No.065: Parent: 0x013e4 Child: 0x009dc SessionId->1 User Process TPwrMain.exe
No.066: Parent: 0x013e4 Child: 0x00d08 SessionId->1 User Process SmoothView.exe
No.067: Parent: 0x013e4 Child: 0x00740 SessionId->1 User Process TCrdMain.exe
No.068: Parent: 0x01174 Child: 0x012a8 SessionId->1 User Process SynTPHelper.ex
No.069: Parent: 0x013e4 Child: 0x012ac SessionId->1 User Process Teco.exe
No.070: Parent: 0x013e4 Child: 0x01008 SessionId->1 User Process ThpSrv.exe
No.071: Parent: 0x00740 Child: 0x01384 SessionId->1 User Process TCrdKBB.exe
No.072: Parent: 0x013e4 Child: 0x00640 SessionId->1 User Process TosNcCore.exe
No.073: Parent: 0x013e4 Child: 0x007e4 SessionId->1 User Process TosReelTimeMon
No.074: Parent: 0x013e4 Child: 0x00ae0 SessionId->1 User Process HDMICtrlMan.ex
No.075: Parent: 0x013e4 Child: 0x012b8 SessionId->1 User Process XBoxStat.exe
No.076: Parent: 0x002f8 Child: 0x012b4 SessionId->0 Service Process wmpnetwk.exe
No.077: Parent: 0x00974 Child: 0x001e8 SessionId->1 User Process SmartAudio.exe
No.078: Parent: 0x013e4 Child: 0x01018 SessionId->1 User Process DashUI.exe
No.079: Parent: 0x002f8 Child: 0x00538 SessionId->0 Service Process svchost.exe
No.080: Parent: 0x00450 Child: 0x01450 SessionId->1 User Process taskeng.exe
No.081: Parent: 0x01450 Child: 0x0148c SessionId->1 User Process NDSTray.exe
No.082: Parent: 0x00ae0 Child: 0x014d4 SessionId->1 User Process HCMSoundChange
No.083: Parent: 0x013e4 Child: 0x01560 SessionId->1 User Process LCore.exe
No.084: Parent: 0x013e4 Child: 0x0156c SessionId->1 User Process rundll32.exe
No.085: Parent: 0x013e4 Child: 0x01574 SessionId->1 User Process rundll32.exe
No.086: Parent: 0x013e4 Child: 0x0157c SessionId->1 User Process egui.exe
No.087: Parent: 0x013e4 Child: 0x017b0 SessionId->1 User Process SkyDrive.exe
No.088: Parent: 0x013e4 Child: 0x017d0 SessionId->1 User Process sidebar.exe
No.089: Parent: 0x013e4 Child: 0x017e0 SessionId->1 User Process Power2GoExpres
No.090: Parent: 0x013e4 Child: 0x00df4 SessionId->1 User Process TosBtMng.exe
No.091: Parent: 0x003a4 Child: 0x01448 SessionId->0 System Process dllhost.exe
No.092: Parent: 0x001e4 Child: 0x01728 SessionId->1 User Process IAStorIcon.exe
No.093: Parent: 0x001e4 Child: 0x01744 SessionId->1 User Process TWebCamera.exe
No.094: Parent: 0x013e4 Child: 0x0120c SessionId->1 User Process ONENOTEM.EXE
No.095: Parent: 0x002f8 Child: 0x016d4 SessionId->0 Service Process CFIWmxSvcs64.e
No.096: Parent: 0x001e4 Child: 0x01530 SessionId->1 User Process ToshibaService
No.097: Parent: 0x001e4 Child: 0x00c34 SessionId->1 User Process VolPanlu.exe
No.098: Parent: 0x001e4 Child: 0x0180c SessionId->1 User Process SBRecon.exe
No.099: Parent: 0x001e4 Child: 0x01820 SessionId->1 User Process PowerDVD13Agen
No.100: Parent: 0x001e4 Child: 0x019a4 SessionId->1 User Process mbae.exe
No.101: Parent: 0x001e4 Child: 0x01b1c SessionId->1 User Process rundll32.exe
No.102: Parent: 0x001e4 Child: 0x01a18 SessionId->1 User Process jusched.exe
No.103: Parent: 0x002f8 Child: 0x01a98 SessionId->0 Service Process TosBtSrv.exe
No.104: Parent: 0x002f8 Child: 0x01bf0 SessionId->0 Service Process CFSvcs.exe
No.105: Parent: 0x002f8 Child: 0x0147c SessionId->0 Service Process AL6Licensing.e
No.106: Parent: 0x002f8 Child: 0x01b08 SessionId->0 Service Process CTAELicensing.
No.107: Parent: 0x002f8 Child: 0x01aec SessionId->0 Service Process DkService.exe
No.108: Parent: 0x002f8 Child: 0x01a14 SessionId->0 Service Process TPCHSrv.exe
No.109: Parent: 0x002f8 Child: 0x01830 SessionId->0 Service Process TosSmartSrv.ex
No.110: Parent: 0x00444 Child: 0x01ca8 SessionId->1 User Process TosSENotify.ex
No.111: Parent: 0x00394 Child: 0x01ddc SessionId->1 User Process TPCHWMsg.exe
No.112: Parent: 0x0148c Child: 0x01e80 SessionId->1 User Process CFSwMgr.exe
No.113: Parent: 0x00df4 Child: 0x01ec0 SessionId->1 User Process TosA2dp.exe
No.114: Parent: 0x002f8 Child: 0x01f0c SessionId->0 Service Process TurboBoost.exe
No.115: Parent: 0x01c90 Child: 0x01f20 SessionId->0 System Process GoogleUpdate.e
No.116: Parent: 0x002f8 Child: 0x01fd0 SessionId->0 Service Process IAStorDataMgrS
No.117: Parent: 0x01f20 Child: 0x01fe4 SessionId->0 System Process GoogleCrashHan
No.118: Parent: 0x00df4 Child: 0x01c78 SessionId->1 User Process TosBtHid.exe
No.119: Parent: 0x01f20 Child: 0x01bec SessionId->0 System Process GoogleCrashHan
No.120: Parent: 0x00df4 Child: 0x01ccc SessionId->1 User Process TosBtHSP.exe
No.121: Parent: 0x002f8 Child: 0x01e94 SessionId->0 Service Process PresentationFo
No.122: Parent: 0x002f8 Child: 0x0216c SessionId->0 Service Process TMachInfo.exe
No.123: Parent: 0x00824 Child: 0x018b4 SessionId->0 System Process mbae64.exe
No.124: Parent: 0x00824 Child: 0x018f0 SessionId->0 System Process mbae64.exe
No.125: Parent: 0x021b8 Child: 0x02108 SessionId->1 User Process Arc.exe
No.126: Parent: 0x02108 Child: 0x02004 SessionId->1 User Process ArcOSBrowser.e
No.127: Parent: 0x0192c Child: 0x00d50 SessionId->1 User Process crypticError.e
No.128: Parent: 0x01178 Child: 0x01948 SessionId->1 User Process iexplore.exe
No.129: Parent: 0x01948 Child: 0x01a34 SessionId->1 User Process iexplore.exe
No.130: Parent: 0x01948 Child: 0x023a0 SessionId->1 User Process iexplore.exe
No.131: Parent: 0x014e4 Child: 0x0234c SessionId->1 User Process crypticError.e
No.132: Parent: 0x01f8c Child: 0x017ec SessionId->1 User Process GameClient.exe
No.133: Parent: 0x017ec Child: 0x01c58 SessionId->1 User Process ArcOSOverlay.e
ご覧のように、動作中のプロセスは、セッション単位で分離されています。「winlogon.exe」プロセスの親プロセスは、XP時代の「smss.exe」プロセスではなく、正体不明のプロセス「0x002b4」となっています。このようなセキュリティー向上策は、Windows 8.1でもそのまま継承されるのでしょうか?
2: kd> vertarget
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17238.amd64fre.winblue_gdr.140723-2018
Machine Name:
Kernel base = 0xfffff801`6868c000 PsLoadedModuleList = 0xfffff801`68956350
Debug session time: Thu Oct 9 00:34:44.270 2014 (UTC + 9:00)
System Uptime: 0 days 13:38:52.140
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x00150 smss.exe
No.003: Parent: 0x001f4 Child: 0x00208 SessionId->0 System Process csrss.exe
No.004: Parent: 0x001f4 Child: 0x00288 SessionId->0 System Process wininit.exe
No.005: Parent: 0x00288 Child: 0x002f4 SessionId->0 System Process services.exe
No.006: Parent: 0x00288 Child: 0x002fc SessionId->0 System Process lsass.exe
No.007: Parent: 0x002f4 Child: 0x00354 SessionId->0 Service Process svchost.exe
No.008: Parent: 0x002f4 Child: 0x00388 SessionId->0 Service Process svchost.exe
No.009: Parent: 0x002f4 Child: 0x00124 SessionId->0 Service Process nvvsvc.exe
No.010: Parent: 0x002f4 Child: 0x00184 SessionId->0 Service Process svchost.exe
No.011: Parent: 0x002f4 Child: 0x002bc SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002f4 Child: 0x00398 SessionId->0 Service Process svchost.exe
No.013: Parent: 0x002f4 Child: 0x00424 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x002f4 Child: 0x004bc SessionId->0 Service Process svchost.exe
No.015: Parent: 0x002f4 Child: 0x0050c SessionId->0 Service Process AsLdrSrv.exe
No.016: Parent: 0x002f4 Child: 0x00558 SessionId->0 Service Process GFNEXSrv.exe
No.017: Parent: 0x00424 Child: 0x00598 SessionId->0 System Process wlanext.exe
No.018: Parent: 0x00598 Child: 0x005a0 SessionId->0 System Process conhost.exe
No.019: Parent: 0x002f4 Child: 0x005f4 SessionId->0 Service Process spoolsv.exe
No.020: Parent: 0x002f4 Child: 0x00614 SessionId->0 Service Process svchost.exe
No.021: Parent: 0x002f4 Child: 0x00630 SessionId->0 Service Process svchost.exe
No.022: Parent: 0x002f4 Child: 0x006f0 SessionId->0 Service Process armsvc.exe
No.023: Parent: 0x002f4 Child: 0x0070c SessionId->0 Service Process AppleMobileDev
No.024: Parent: 0x002f4 Child: 0x00734 SessionId->0 Service Process InsOnSrv.exe
No.025: Parent: 0x002f4 Child: 0x0075c SessionId->0 Service Process mDNSResponder.
No.026: Parent: 0x002f4 Child: 0x0077c SessionId->0 Service Process officeclicktor
No.027: Parent: 0x002f4 Child: 0x007b4 SessionId->0 Service Process DptfParticipan
No.028: Parent: 0x002f4 Child: 0x007e8 SessionId->0 Service Process DptfPolicyConf
No.029: Parent: 0x002f4 Child: 0x0040c SessionId->0 Service Process DptfPolicyCrit
No.030: Parent: 0x00424 Child: 0x00434 SessionId->0 System Process dasHost.exe
No.031: Parent: 0x002f4 Child: 0x00484 SessionId->0 Service Process DptfPolicyLpmS
No.032: Parent: 0x002f4 Child: 0x00518 SessionId->0 Service Process EvtEng.exe
No.033: Parent: 0x002f4 Child: 0x005e0 SessionId->0 Service Process GfExperienceSe
No.034: Parent: 0x002f4 Child: 0x00830 SessionId->0 Service Process NIS.exe
No.035: Parent: 0x002f4 Child: 0x00894 SessionId->0 Service Process NvNetworkServi
No.036: Parent: 0x002f4 Child: 0x0092c SessionId->0 Service Process nvstreamsvc.ex
No.037: Parent: 0x002f4 Child: 0x00968 SessionId->0 Service Process RegSrvc.exe
No.038: Parent: 0x002f4 Child: 0x00980 SessionId->0 Service Process svchost.exe
No.039: Parent: 0x002f4 Child: 0x009a8 SessionId->0 Service Process ZeroConfigServ
No.040: Parent: 0x00354 Child: 0x009e4 SessionId->0 System Process unsecapp.exe
No.041: Parent: 0x00354 Child: 0x00a50 SessionId->0 System Process WmiPrvSE.exe
No.042: Parent: 0x002f4 Child: 0x00b68 SessionId->0 Service Process svchost.exe
No.043: Parent: 0x0092c Child: 0x00c10 SessionId->0 System Process nvstreamsvc.ex
No.044: Parent: 0x00c10 Child: 0x00c18 SessionId->0 System Process conhost.exe
No.045: Parent: 0x00734 Child: 0x00a28 SessionId->1 User Process InsOnWMI.exe
No.046: Parent: 0x002f4 Child: 0x01154 SessionId->0 Service Process SearchIndexer.
No.047: Parent: 0x008e4 Child: 0x011e8 SessionId->0 System Process GoogleCrashHan
No.048: Parent: 0x008e4 Child: 0x0128c SessionId->0 System Process GoogleCrashHan
No.049: Parent: 0x002f4 Child: 0x01318 SessionId->0 Service Process devmonsrv.exe
No.050: Parent: 0x002f4 Child: 0x0137c SessionId->0 Service Process obexsrv.exe
No.051: Parent: 0x002f4 Child: 0x013e0 SessionId->0 Service Process IntelMeFWServi
No.052: Parent: 0x002f4 Child: 0x004d4 SessionId->0 Service Process jhi_service.ex
No.053: Parent: 0x002f4 Child: 0x006bc SessionId->0 Service Process LMS.exe
No.054: Parent: 0x002f4 Child: 0x00ca8 SessionId->0 Service Process wmpnetwk.exe
No.055: Parent: 0x002f4 Child: 0x015b8 SessionId->0 Service Process iPodService.ex
No.056: Parent: 0x01ccc Child: 0x00130 SessionId->2 User Process csrss.exe
No.057: Parent: 0x01ccc Child: 0x00af4 SessionId->2 User Process winlogon.exe
No.058: Parent: 0x00af4 Child: 0x00f7c SessionId->2 User Process dwm.exe
No.059: Parent: 0x00124 Child: 0x0175c SessionId->2 User Process nvxdsync.exe
No.060: Parent: 0x00124 Child: 0x00748 SessionId->2 User Process nvvsvc.exe
No.061: Parent: 0x00424 Child: 0x0149c SessionId->2 User Process TabTip.exe
No.062: Parent: 0x0050c Child: 0x01e28 SessionId->2 User Process HControl.exe
No.063: Parent: 0x00734 Child: 0x01570 SessionId->2 User Process InsOnWMI.exe
No.064: Parent: 0x00830 Child: 0x00fb0 SessionId->2 User Process NIS.exe
No.065: Parent: 0x002bc Child: 0x00868 SessionId->2 User Process taskhostex.exe
No.066: Parent: 0x002bc Child: 0x019a8 SessionId->2 User Process BatteryLife.ex
No.067: Parent: 0x002bc Child: 0x00d98 SessionId->2 User Process USBChargerPlus
No.068: Parent: 0x002bc Child: 0x0134c SessionId->2 User Process ASUS Console S
No.069: Parent: 0x002bc Child: 0x01994 SessionId->2 User Process AsPatchTouchPa
No.070: Parent: 0x002bc Child: 0x01688 SessionId->2 User Process ACMON.exe
No.071: Parent: 0x002bc Child: 0x01dcc SessionId->2 User Process ColorUService.
No.072: Parent: 0x01e28 Child: 0x011a8 SessionId->2 User Process KBFiltr.exe
No.073: Parent: 0x00a44 Child: 0x018cc SessionId->2 User Process ATKOSD2.exe
No.074: Parent: 0x01974 Child: 0x01a14 SessionId->2 User Process DMedia.exe
No.075: Parent: 0x00f70 Child: 0x000f8 SessionId->2 User Process NvBackend.exe
No.076: Parent: 0x01dd8 Child: 0x01d40 SessionId->2 User Process explorer.exe
No.077: Parent: 0x00354 Child: 0x01920 SessionId->2 User Process livecomm.exe
No.078: Parent: 0x00354 Child: 0x011a4 SessionId->2 User Process SkyDrive.exe
No.079: Parent: 0x00424 Child: 0x00b2c SessionId->2 User Process TabTip.exe
No.080: Parent: 0x00b2c Child: 0x0086c SessionId->2 User Process TabTip32.exe
No.081: Parent: 0x0175c Child: 0x00348 SessionId->2 User Process nvtray.exe
No.082: Parent: 0x00354 Child: 0x01250 SessionId->2 User Process RuntimeBroker.
No.083: Parent: 0x00bb4 Child: 0x0160c SessionId->2 User Process AsusTPLoader.e
No.084: Parent: 0x0160c Child: 0x01b5c SessionId->2 User Process QuickGesture64
No.085: Parent: 0x0160c Child: 0x00950 SessionId->2 User Process QuickGesture.e
No.086: Parent: 0x0160c Child: 0x00ba4 SessionId->2 User Process AsusTPCenter.e
No.087: Parent: 0x00ba4 Child: 0x01b7c SessionId->2 User Process AsusTPHelper.e
No.088: Parent: 0x01e34 Child: 0x00fc8 SessionId->2 User Process igfxpers.exe
No.089: Parent: 0x00354 Child: 0x0147c SessionId->2 User Process igfxsrvc.exe
No.090: Parent: 0x01d40 Child: 0x00c04 SessionId->2 User Process igfxtray.exe
No.091: Parent: 0x01d40 Child: 0x004ec SessionId->2 User Process hkcmd.exe
No.092: Parent: 0x01d40 Child: 0x01c44 SessionId->2 User Process DptfPolicyLpmS
No.093: Parent: 0x01d40 Child: 0x016d0 SessionId->2 User Process rundll32.exe
No.094: Parent: 0x01d40 Child: 0x01140 SessionId->2 User Process chrome.exe
No.095: Parent: 0x01d40 Child: 0x00e78 SessionId->2 User Process googledrivesyn
No.096: Parent: 0x01d40 Child: 0x00a24 SessionId->2 User Process ScanToPCActiva
No.097: Parent: 0x01d40 Child: 0x006c4 SessionId->2 User Process GROOVE.EXE
No.098: Parent: 0x01140 Child: 0x01468 SessionId->2 User Process chrome.exe
No.099: Parent: 0x01280 Child: 0x01050 SessionId->2 User Process PDVD10Serv.exe
No.100: Parent: 0x01140 Child: 0x0185c SessionId->2 User Process chrome.exe
No.101: Parent: 0x01140 Child: 0x018d0 SessionId->2 User Process chrome.exe
No.102: Parent: 0x01140 Child: 0x00fc4 SessionId->2 User Process chrome.exe
No.103: Parent: 0x01140 Child: 0x00eb4 SessionId->2 User Process chrome.exe
No.104: Parent: 0x01140 Child: 0x01680 SessionId->2 User Process chrome.exe
No.105: Parent: 0x01140 Child: 0x01ec8 SessionId->2 User Process chrome.exe
No.106: Parent: 0x01140 Child: 0x013f4 SessionId->2 User Process chrome.exe
No.107: Parent: 0x01140 Child: 0x00f68 SessionId->2 User Process chrome.exe
No.108: Parent: 0x01140 Child: 0x00624 SessionId->2 User Process chrome.exe
No.109: Parent: 0x01140 Child: 0x0139c SessionId->2 User Process chrome.exe
No.110: Parent: 0x01280 Child: 0x002d8 SessionId->2 User Process jusched.exe
No.111: Parent: 0x01140 Child: 0x0177c SessionId->2 User Process chrome.exe
No.112: Parent: 0x01140 Child: 0x010d8 SessionId->2 User Process chrome.exe
No.113: Parent: 0x01140 Child: 0x01e1c SessionId->2 User Process chrome.exe
No.114: Parent: 0x01140 Child: 0x00298 SessionId->2 User Process chrome.exe
No.115: Parent: 0x01280 Child: 0x01d28 SessionId->2 User Process iTunesHelper.e
No.116: Parent: 0x01280 Child: 0x00824 SessionId->2 User Process hpwuschd2.exe
No.117: Parent: 0x01140 Child: 0x0157c SessionId->2 User Process cmd.exe
No.118: Parent: 0x0157c Child: 0x01ecc SessionId->2 User Process conhost.exe
No.119: Parent: 0x0157c Child: 0x0108c SessionId->2 User Process coNatHst.exe
No.120: Parent: 0x01140 Child: 0x01f20 SessionId->2 User Process nacl64.exe
No.121: Parent: 0x01f20 Child: 0x0187c SessionId->2 User Process nacl64.exe
No.122: Parent: 0x00e78 Child: 0x010b8 SessionId->2 User Process googledrivesyn
No.123: Parent: 0x002bc Child: 0x01af8 SessionId->2 User Process RAVBg64.exe
No.124: Parent: 0x002bc Child: 0x01730 SessionId->2 User Process RAVCpl64.exe
No.125: Parent: 0x00354 Child: 0x00a34 SessionId->2 User Process glcnd.exe
No.126: Parent: 0x00354 Child: 0x0035c SessionId->2 User Process SettingSyncHos
No.127: Parent: 0x01140 Child: 0x01734 SessionId->2 User Process chrome.exe
No.128: Parent: 0x01140 Child: 0x01e80 SessionId->2 User Process chrome.exe
No.129: Parent: 0x01140 Child: 0x007f8 SessionId->2 User Process chrome.exe
No.130: Parent: 0x006c4 Child: 0x00620 SessionId->2 User Process MSOSYNC.EXE
No.131: Parent: 0x01154 Child: 0x01f98 SessionId->0 System Process SearchProtocol
No.132: Parent: 0x01154 Child: 0x01d00 SessionId->0 System Process SearchFilterHo
No.133: Parent: 0x00184 Child: 0x00e14 SessionId->0 System Process audiodg.exe
No.134: Parent: 0x00354 Child: 0x01840 SessionId->2 User Process WWAHost.exe
No.135: Parent: 0x00354 Child: 0x012e4 SessionId->2 User Process BackgroundTran
セッション単位でのプロセスの分離が行われ、Windows 7の解析結果と比較すると、起動順とプロセス間の親子関係がさらに複雑になっています。Windows 10ではどうなっているでしょう。
1: kd> vertarget
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16393.amd64fre.th1_st1.150717-1719
Machine Name:
Kernel base = 0xfffff802`2941a000 PsLoadedModuleList = 0xfffff802`2973f030
Debug session time: Mon Aug 3 17:16:15.086 2015 (UTC + 9:00)
System Uptime: 0 days 1:19:12.780
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x00144 smss.exe
No.003: Parent: 0x001f0 Child: 0x001f8 SessionId->0 System Process csrss.exe
No.004: Parent: 0x001f0 Child: 0x0024c SessionId->0 System Process wininit.exe
No.005: Parent: 0x0024c Child: 0x002b4 SessionId->0 System Process services.exe
No.006: Parent: 0x0024c Child: 0x002c8 SessionId->0 System Process lsass.exe
No.007: Parent: 0x002b4 Child: 0x00318 SessionId->0 Service Process svchost.exe
No.008: Parent: 0x002b4 Child: 0x00350 SessionId->0 Service Process svchost.exe
No.009: Parent: 0x002b4 Child: 0x003a0 SessionId->0 Service Process sppsvc.exe
No.010: Parent: 0x002b4 Child: 0x001b0 SessionId->0 Service Process svchost.exe
No.011: Parent: 0x002b4 Child: 0x00130 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002b4 Child: 0x00008 SessionId->0 Service Process svchost.exe
No.013: Parent: 0x002b4 Child: 0x00448 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x002b4 Child: 0x00484 SessionId->0 Service Process svchost.exe
No.015: Parent: 0x002b4 Child: 0x00504 SessionId->0 Service Process svchost.exe
No.016: Parent: 0x002b4 Child: 0x005fc SessionId->0 Service Process spoolsv.exe
No.017: Parent: 0x002b4 Child: 0x006f0 SessionId->0 Service Process svchost.exe
No.018: Parent: 0x002b4 Child: 0x00728 SessionId->0 Service Process svchost.exe
No.019: Parent: 0x002b4 Child: 0x00764 SessionId->0 Service Process armsvc.exe
No.020: Parent: 0x002b4 Child: 0x007a8 SessionId->0 Service Process svchost.exe
No.021: Parent: 0x002b4 Child: 0x007e4 SessionId->0 Service Process mqsvc.exe
No.022: Parent: 0x002b4 Child: 0x00704 SessionId->0 Service Process TosCoSrv.exe
No.023: Parent: 0x002b4 Child: 0x00518 SessionId->0 Service Process msdtc.exe
No.024: Parent: 0x002b4 Child: 0x00994 SessionId->0 Service Process dllhost.exe
No.025: Parent: 0x00318 Child: 0x00378 SessionId->0 System Process dllhost.exe
No.026: Parent: 0x002b4 Child: 0x003fc SessionId->0 Service Process MsMpEng.exe
No.027: Parent: 0x002b4 Child: 0x00a90 SessionId->0 Service Process SearchIndexer.
No.028: Parent: 0x002b4 Child: 0x00bb0 SessionId->0 Service Process VSSVC.exe
No.029: Parent: 0x002b4 Child: 0x00b50 SessionId->0 Service Process svchost.exe
No.030: Parent: 0x002b4 Child: 0x00674 SessionId->0 Service Process svchost.exe
No.031: Parent: 0x002b4 Child: 0x0092c SessionId->0 Service Process svchost.exe
No.032: Parent: 0x01a80 Child: 0x003dc SessionId->1 User Process csrss.exe
No.033: Parent: 0x01a80 Child: 0x0140c SessionId->1 User Process winlogon.exe
No.034: Parent: 0x0140c Child: 0x01cc4 SessionId->1 User Process dwm.exe
No.035: Parent: 0x00130 Child: 0x00b70 SessionId->1 User Process sihost.exe
No.036: Parent: 0x00130 Child: 0x00e7c SessionId->1 User Process taskhostw.exe
No.037: Parent: 0x0140c Child: 0x00d3c SessionId->1 User Process userinit.exe
No.038: Parent: 0x00d3c Child: 0x00614 SessionId->1 User Process explorer.exe
No.039: Parent: 0x00318 Child: 0x014a4 SessionId->1 User Process RuntimeBroker.
No.040: Parent: 0x00318 Child: 0x00464 SessionId->1 User Process SearchUI.exe
No.041: Parent: 0x00614 Child: 0x011bc SessionId->1 User Process RAVCpl64.exe
No.042: Parent: 0x00614 Child: 0x010dc SessionId->1 User Process TPwrMain.exe
No.043: Parent: 0x00614 Child: 0x018f4 SessionId->1 User Process SmoothView.exe
No.044: Parent: 0x00614 Child: 0x011c0 SessionId->1 User Process TCrdMain.exe
No.045: Parent: 0x00614 Child: 0x00ce4 SessionId->1 User Process OneDrive.exe
No.046: Parent: 0x002b4 Child: 0x016a8 SessionId->1 User Process svchost.exe
No.047: Parent: 0x00318 Child: 0x01b94 SessionId->1 User Process ImeBroker.exe
No.048: Parent: 0x00318 Child: 0x01d60 SessionId->1 User Process ApplicationFra
No.049: Parent: 0x00318 Child: 0x00a60 SessionId->1 User Process ShellExperienc
No.050: Parent: 0x00008 Child: 0x01d4c SessionId->0 System Process audiodg.exe
No.051: Parent: 0x00614 Child: 0x013d0 SessionId->1 User Process thunderbird.ex
No.052: Parent: 0x00318 Child: 0x01434 SessionId->0 System Process WmiPrvSE.exe
No.053: Parent: 0x00318 Child: 0x011fc SessionId->1 User Process InstallAgent.e
No.054: Parent: 0x01564 Child: 0x01be0 SessionId->1 User Process chrome.exe
No.055: Parent: 0x00614 Child: 0x01bf0 SessionId->1 User Process NotMyfault.exe
No.056: Parent: 0x00a90 Child: 0x01318 SessionId->1 User Process SearchProtocol
No.057: Parent: 0x00a90 Child: 0x01f20 SessionId->0 System Process SearchFilterHo
No.058: Parent: 0x00a90 Child: 0x01f28 SessionId->0 System Process SearchProtocol
この結果を見ると、Windows 7時代とほとんど変化がないように見えます。ところが、新しいビルド番号を持つWindows 10環境では、2000年初頭からのセキュリティー投資効果が次のように反映されています。
1: kd> vertarget
Windows 10 Kernel Version 10586 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.162.amd64fre.th2_release_sec.160223-1728
Machine Name:
Kernel base = 0xfffff800`40c7e000 PsLoadedModuleList = 0xfffff800`40f5ccd0
Debug session time: Wed Mar 23 08:01:18.208 2016 (UTC + 9:00)
System Uptime: 0 days 15:55:12.887
No.001: Parent: 0x00000 Child: 0x00004 System
No.002: Parent: 0x00004 Child: 0x0014c smss.exe
No.003: Parent: 0x001d4 Child: 0x001e0 SessionId->0 System Process csrss.exe
No.004: Parent: 0x0014c Child: 0x00220 SessionId->1 User Process smss.exe
No.005: Parent: 0x001d4 Child: 0x00228 SessionId->0 System Process wininit.exe
No.006: Parent: 0x00220 Child: 0x00238 SessionId->1 User Process csrss.exe
No.007: Parent: 0x00228 Child: 0x0026c SessionId->0 System Process services.exe
No.008: Parent: 0x00228 Child: 0x00274 SessionId->0 System Process lsass.exe
No.009: Parent: 0x00220 Child: 0x002b4 SessionId->1 User Process winlogon.exe
No.010: Parent: 0x0026c Child: 0x002f8 SessionId->0 Service Process svchost.exe
No.011: Parent: 0x0026c Child: 0x00324 SessionId->0 Service Process svchost.exe
No.012: Parent: 0x002b4 Child: 0x003b4 SessionId->1 User Process dwm.exe
No.013: Parent: 0x0026c Child: 0x00044 SessionId->0 Service Process svchost.exe
No.014: Parent: 0x0026c Child: 0x00164 SessionId->0 Service Process svchost.exe
[---]
この結果を見る際には、「smss.exe」(セッションマネージャー)と「winlogon.exe」プロセスの親子関係に着目するとよいでしょう。この2つのプロセス間の関係はWindows XP時代の考え方に逆戻りした(「smss.exe」が「winlogon.exe」を起動する)印象を受けますが、実際には、「smss.exe」(セッションマネージャー)プロセスの親子関係と動作仕様が設計変更され、サンドボックス化が進められています。このような短サイクルでのカーネル内部変更をつぶさに目撃すると、長期に渡るセキュリティー分野への投資効果が今後もカーネルレベルで大胆に、かつ、知らぬ間に実装されてくることを覚悟しないわけにいきません。また、このようなきわめて重要なカーネル内部仕様の変更情報はタイミングよく一般公開されることはまず期待できない!、という点も認識しておくべきでしょう。参考のために、Windows 11環境の実行結果を紹介しておきます。
SeqNo.0001: Parent: 0x00000 Child: 0x00004 SessionId->0 System Process System
SeqNo.0002: Parent: 0x00004 Child: 0x000c8 SessionId->0 System Process Registry
SeqNo.0003: Parent: 0x00004 Child: 0x00220 SessionId->0 System Process smss.exe
SeqNo.0006: Parent: 0x002fc Child: 0x0031c SessionId->0 System Process csrss.exe
SeqNo.0008: Parent: 0x002fc Child: 0x003ac SessionId->0 System Process wininit.exe
SeqNo.0009: Parent: 0x003a4 Child: 0x003b4 SessionId->1 User Process csrss.exe
SeqNo.0010: Parent: 0x003ac Child: 0x003f4 SessionId->0 System Process services.exe
SeqNo.0011: Parent: 0x003ac Child: 0x002a8 SessionId->0 System Process lsass.exe
SeqNo.0012: Parent: 0x003a4 Child: 0x00408 SessionId->1 User Process winlogon.exe
SeqNo.0013: Parent: 0x003f4 Child: 0x00488 SessionId->0 Service Process svchost.exe
SeqNo.0014: Parent: 0x003ac Child: 0x004a4 SessionId->0 System Process fontdrvhost.ex
SeqNo.0015: Parent: 0x00408 Child: 0x004ac SessionId->1 User Process fontdrvhost.ex
SeqNo.0016: Parent: 0x003f4 Child: 0x0050c SessionId->0 Service Process svchost.exe
SeqNo.0017: Parent: 0x003f4 Child: 0x0053c SessionId->0 Service Process svchost.exe
SeqNo.0018: Parent: 0x00408 Child: 0x00584 SessionId->1 User Process LogonUI.exe
SeqNo.0019: Parent: 0x00408 Child: 0x0058c SessionId->1 User Process dwm.exe
SeqNo.0021: Parent: 0x003f4 Child: 0x00600 SessionId->0 Service Process svchost.exe
SeqNo.0022: Parent: 0x003f4 Child: 0x00620 SessionId->0 Service Process svchost.exe
SeqNo.0023: Parent: 0x003f4 Child: 0x0062c SessionId->0 Service Process svchost.exe
SeqNo.0024: Parent: 0x003f4 Child: 0x00664 SessionId->0 Service Process svchost.exe
SeqNo.0025: Parent: 0x003f4 Child: 0x0069c SessionId->0 Service Process svchost.exe
SeqNo.0028: Parent: 0x003f4 Child: 0x006ec SessionId->0 Service Process svchost.exe
SeqNo.0029: Parent: 0x003f4 Child: 0x00704 SessionId->0 Service Process svchost.exe
SeqNo.0030: Parent: 0x003f4 Child: 0x00768 SessionId->0 Service Process svchost.exe
SeqNo.0031: Parent: 0x003f4 Child: 0x00788 SessionId->0 Service Process svchost.exe
SeqNo.0034: Parent: 0x003f4 Child: 0x007f4 SessionId->0 Service Process svchost.exe
SeqNo.0035: Parent: 0x003f4 Child: 0x007fc SessionId->0 Service Process amdfendrsr.exe
SeqNo.0036: Parent: 0x003f4 Child: 0x002b0 SessionId->0 Service Process atiesrxx.exe
SeqNo.0037: Parent: 0x003f4 Child: 0x006e8 SessionId->0 Service Process WUDFHost.exe
SeqNo.0038: Parent: 0x003f4 Child: 0x00860 SessionId->0 Service Process svchost.exe
SeqNo.0039: Parent: 0x003f4 Child: 0x00900 SessionId->0 Service Process svchost.exe
SeqNo.0041: Parent: 0x003f4 Child: 0x00958 SessionId->0 Service Process svchost.exe
SeqNo.0042: Parent: 0x003f4 Child: 0x00960 SessionId->0 Service Process svchost.exe
SeqNo.0043: Parent: 0x003f4 Child: 0x00968 SessionId->0 Service Process svchost.exe
SeqNo.0044: Parent: 0x002b0 Child: 0x00974 SessionId->1 User Process atieclxx.exe
SeqNo.0045: Parent: 0x00004 Child: 0x009cc SessionId->0 System Process MemCompression
SeqNo.0046: Parent: 0x003f4 Child: 0x009f0 SessionId->0 Service Process svchost.exe
SeqNo.0047: Parent: 0x003f4 Child: 0x00a08 SessionId->0 Service Process svchost.exe
SeqNo.0048: Parent: 0x003f4 Child: 0x00a10 SessionId->0 Service Process svchost.exe
SeqNo.0049: Parent: 0x003f4 Child: 0x00a58 SessionId->0 Service Process svchost.exe
SeqNo.0050: Parent: 0x003f4 Child: 0x00b14 SessionId->0 Service Process svchost.exe
SeqNo.0051: Parent: 0x003f4 Child: 0x00b34 SessionId->0 Service Process svchost.exe
SeqNo.0052: Parent: 0x003f4 Child: 0x00b38 SessionId->0 Service Process svchost.exe
SeqNo.0053: Parent: 0x003f4 Child: 0x00b44 SessionId->0 Service Process svchost.exe
SeqNo.0054: Parent: 0x003f4 Child: 0x00b8c SessionId->0 Service Process svchost.exe
SeqNo.0055: Parent: 0x003f4 Child: 0x00a04 SessionId->0 Service Process spoolsv.exe
SeqNo.0056: Parent: 0x003f4 Child: 0x00a38 SessionId->0 Service Process svchost.exe
SeqNo.0057: Parent: 0x003f4 Child: 0x00c20 SessionId->0 Service Process svchost.exe
SeqNo.0058: Parent: 0x00b14 Child: 0x00c90 SessionId->0 System Process audiodg.exe
SeqNo.0059: Parent: 0x003f4 Child: 0x00c98 SessionId->0 Service Process svchost.exe
SeqNo.0060: Parent: 0x003f4 Child: 0x00d58 SessionId->0 Service Process svchost.exe
SeqNo.0061: Parent: 0x003f4 Child: 0x00d60 SessionId->0 Service Process svchost.exe
SeqNo.0062: Parent: 0x003f4 Child: 0x00d68 SessionId->0 Service Process svchost.exe
SeqNo.0063: Parent: 0x003f4 Child: 0x00d70 SessionId->0 Service Process svchost.exe
SeqNo.0064: Parent: 0x003f4 Child: 0x00d78 SessionId->0 Service Process svchost.exe
SeqNo.0065: Parent: 0x003f4 Child: 0x00d80 SessionId->0 Service Process svchost.exe
SeqNo.0066: Parent: 0x003f4 Child: 0x00d88 SessionId->0 Service Process svchost.exe
SeqNo.0067: Parent: 0x003f4 Child: 0x00d90 SessionId->0 Service Process RtkAudUService
SeqNo.0068: Parent: 0x003f4 Child: 0x00d98 SessionId->0 Service Process QuantumService
SeqNo.0069: Parent: 0x003f4 Child: 0x00db0 SessionId->0 Service Process MsMpEng.exe
SeqNo.0070: Parent: 0x003f4 Child: 0x00e74 SessionId->0 Service Process svchost.exe
SeqNo.0071: Parent: 0x003f4 Child: 0x00f44 SessionId->0 Service Process svchost.exe
SeqNo.0076: Parent: 0x00d88 Child: 0x01034 SessionId->0 System Process AggregatorHost
SeqNo.0078: Parent: 0x003f4 Child: 0x010c8 SessionId->0 Service Process svchost.exe
SeqNo.0080: Parent: 0x003f4 Child: 0x010fc SessionId->0 Service Process svchost.exe
SeqNo.0082: Parent: 0x00788 Child: 0x01154 SessionId->1 User Process sihost.exe
SeqNo.0085: Parent: 0x003f4 Child: 0x011a0 SessionId->1 User Process svchost.exe
SeqNo.0086: Parent: 0x003f4 Child: 0x011d0 SessionId->1 User Process svchost.exe
SeqNo.0092: Parent: 0x003f4 Child: 0x01244 SessionId->0 Service Process svchost.exe
SeqNo.0095: Parent: 0x003f4 Child: 0x012d0 SessionId->0 Service Process svchost.exe
SeqNo.0096: Parent: 0x012d0 Child: 0x01300 SessionId->1 User Process ctfmon.exe
SeqNo.0097: Parent: 0x00620 Child: 0x013c0 SessionId->1 User Process taskhostw.exe
SeqNo.0100: Parent: 0x00408 Child: 0x00e80 SessionId->1 User Process userinit.exe
SeqNo.0101: Parent: 0x003f4 Child: 0x010a8 SessionId->0 Service Process svchost.exe
SeqNo.0102: Parent: 0x00e80 Child: 0x01064 SessionId->1 User Process explorer.exe
SeqNo.0103: Parent: 0x003f4 Child: 0x01178 SessionId->0 Service Process svchost.exe
SeqNo.0107: Parent: 0x003f4 Child: 0x014c4 SessionId->0 Service Process svchost.exe
SeqNo.0108: Parent: 0x003f4 Child: 0x0155c SessionId->1 User Process svchost.exe
SeqNo.0111: Parent: 0x003f4 Child: 0x015d8 SessionId->0 Service Process svchost.exe
SeqNo.0112: Parent: 0x003f4 Child: 0x015e0 SessionId->0 Service Process svchost.exe
SeqNo.0115: Parent: 0x003f4 Child: 0x0168c SessionId->0 Service Process svchost.exe
SeqNo.0118: Parent: 0x00d98 Child: 0x016e0 SessionId->1 User Process QuantumApp.exe
SeqNo.0128: Parent: 0x00488 Child: 0x01650 SessionId->1 User Process SearchHost.exe
SeqNo.0129: Parent: 0x00488 Child: 0x016b8 SessionId->1 User Process StartMenuExper
SeqNo.0131: Parent: 0x00488 Child: 0x015d4 SessionId->1 User Process RuntimeBroker.
SeqNo.0132: Parent: 0x00488 Child: 0x0182c SessionId->1 User Process RuntimeBroker.
SeqNo.0134: Parent: 0x003f4 Child: 0x0189c SessionId->1 User Process svchost.exe
SeqNo.0136: Parent: 0x00488 Child: 0x01964 SessionId->1 User Process dllhost.exe
SeqNo.0140: Parent: 0x00488 Child: 0x01b64 SessionId->1 User Process LockApp.exe
SeqNo.0141: Parent: 0x00488 Child: 0x017c0 SessionId->1 User Process RuntimeBroker.
SeqNo.0142: Parent: 0x003f4 Child: 0x01c8c SessionId->0 Service Process SearchIndexer.
SeqNo.0143: Parent: 0x003f4 Child: 0x01c94 SessionId->1 User Process svchost.exe
SeqNo.0144: Parent: 0x003f4 Child: 0x01cf0 SessionId->0 Service Process svchost.exe
SeqNo.0148: Parent: 0x00db0 Child: 0x01dc4 SessionId->0 System Process MsMpEngCP.exe
SeqNo.0159: Parent: 0x00488 Child: 0x01f4c SessionId->0 System Process WmiPrvSE.exe
SeqNo.0160: Parent: 0x003f4 Child: 0x01d60 SessionId->0 Service Process NisSrv.exe
SeqNo.0165: Parent: 0x003f4 Child: 0x01684 SessionId->0 Service Process svchost.exe
SeqNo.0167: Parent: 0x00488 Child: 0x01d6c SessionId->1 User Process smartscreen.ex
SeqNo.0168: Parent: 0x01064 Child: 0x01e48 SessionId->1 User Process SecurityHealth
SeqNo.0169: Parent: 0x003f4 Child: 0x0194c SessionId->0 Service Process SecurityHealth
SeqNo.0170: Parent: 0x01064 Child: 0x01bc0 SessionId->1 User Process RtkAudUService
SeqNo.0171: Parent: 0x01064 Child: 0x01e54 SessionId->1 User Process OneDrive.exe
SeqNo.0173: Parent: 0x003f4 Child: 0x0207c SessionId->0 Service Process svchost.exe
SeqNo.0175: Parent: 0x01064 Child: 0x020d0 SessionId->1 User Process Battle.net.exe
SeqNo.0177: Parent: 0x02148 Child: 0x02170 SessionId->1 User Process Agent.exe
SeqNo.0178: Parent: 0x02170 Child: 0x02178 SessionId->1 User Process conhost.exe
SeqNo.0180: Parent: 0x020d0 Child: 0x022dc SessionId->1 User Process Battle.net.exe
SeqNo.0181: Parent: 0x020d0 Child: 0x0238c SessionId->1 User Process Battle.net.exe
SeqNo.0182: Parent: 0x01064 Child: 0x01484 SessionId->1 User Process steam.exe
SeqNo.0183: Parent: 0x00974 Child: 0x020fc SessionId->1 User Process atieah32.exe
SeqNo.0184: Parent: 0x01484 Child: 0x0232c SessionId->1 User Process steamwebhelper
SeqNo.0185: Parent: 0x003f4 Child: 0x023bc SessionId->0 Service Process steamservice.e
SeqNo.0186: Parent: 0x0232c Child: 0x023d0 SessionId->1 User Process steamwebhelper
SeqNo.0187: Parent: 0x0232c Child: 0x020bc SessionId->1 User Process steamwebhelper
SeqNo.0198: Parent: 0x01064 Child: 0x024b0 SessionId->1 User Process EpicGamesLaunc
SeqNo.0204: Parent: 0x01218 Child: 0x025a0 SessionId->1 User Process RadeonSoftware
SeqNo.0206: Parent: 0x0232c Child: 0x02668 SessionId->1 User Process steamwebhelper
SeqNo.0207: Parent: 0x01154 Child: 0x026b0 SessionId->1 User Process msteams.exe
SeqNo.0208: Parent: 0x00488 Child: 0x0276c SessionId->1 User Process RuntimeBroker.
SeqNo.0210: Parent: 0x026b0 Child: 0x027bc SessionId->1 User Process msedgewebview2
SeqNo.0211: Parent: 0x027bc Child: 0x027e0 SessionId->1 User Process msedgewebview2
SeqNo.0212: Parent: 0x027bc Child: 0x02474 SessionId->1 User Process msedgewebview2
SeqNo.0213: Parent: 0x027bc Child: 0x005b0 SessionId->1 User Process msedgewebview2
SeqNo.0214: Parent: 0x027bc Child: 0x02520 SessionId->1 User Process msedgewebview2
SeqNo.0215: Parent: 0x027bc Child: 0x0257c SessionId->1 User Process msedgewebview2
SeqNo.0219: Parent: 0x024b0 Child: 0x02810 SessionId->1 User Process EpicWebHelper.
SeqNo.0233: Parent: 0x0232c Child: 0x02aec SessionId->1 User Process steamwebhelper
SeqNo.0234: Parent: 0x0232c Child: 0x02b14 SessionId->1 User Process steamwebhelper
SeqNo.0235: Parent: 0x0232c Child: 0x027c4 SessionId->1 User Process steamwebhelper
SeqNo.0236: Parent: 0x025a0 Child: 0x028e8 SessionId->1 User Process cncmd.exe
SeqNo.0237: Parent: 0x024b0 Child: 0x02944 SessionId->1 User Process EpicWebHelper.
SeqNo.0241: Parent: 0x029fc Child: 0x02b4c SessionId->1 User Process AMDRSServ.exe
SeqNo.0267: Parent: 0x02b4c Child: 0x03214 SessionId->1 User Process amdow.exe
SeqNo.0292: Parent: 0x00488 Child: 0x02e30 SessionId->1 User Process ApplicationFra
SeqNo.0293: Parent: 0x003f4 Child: 0x02dd8 SessionId->0 Service Process svchost.exe
SeqNo.0335: Parent: 0x003f4 Child: 0x02f74 SessionId->0 Service Process svchost.exe
SeqNo.0336: Parent: 0x003f4 Child: 0x023c4 SessionId->0 Service Process svchost.exe
SeqNo.0341: Parent: 0x003f4 Child: 0x02cd4 SessionId->1 User Process svchost.exe
SeqNo.0343: Parent: 0x003f4 Child: 0x02e48 SessionId->0 Service Process SgrmBroker.exe
SeqNo.0349: Parent: 0x003f4 Child: 0x01d48 SessionId->0 Service Process svchost.exe
SeqNo.0355: Parent: 0x029a8 Child: 0x02bd4 SessionId->1 User Process opera.exe
SeqNo.0356: Parent: 0x02bd4 Child: 0x0312c SessionId->1 User Process opera_crashrep
SeqNo.0358: Parent: 0x02bd4 Child: 0x009c4 SessionId->1 User Process opera.exe
SeqNo.0359: Parent: 0x02bd4 Child: 0x02784 SessionId->1 User Process opera.exe
SeqNo.0360: Parent: 0x00488 Child: 0x0306c SessionId->1 User Process Widgets.exe
SeqNo.0361: Parent: 0x02bd4 Child: 0x003cc SessionId->1 User Process opera.exe
SeqNo.0363: Parent: 0x02bd4 Child: 0x01cac SessionId->1 User Process opera.exe
SeqNo.0365: Parent: 0x02bd4 Child: 0x01928 SessionId->1 User Process opera.exe
SeqNo.0366: Parent: 0x02bd4 Child: 0x01750 SessionId->1 User Process opera.exe
SeqNo.0367: Parent: 0x02bd4 Child: 0x0197c SessionId->1 User Process opera.exe
SeqNo.0369: Parent: 0x0306c Child: 0x033a8 SessionId->1 User Process msedgewebview2
SeqNo.0370: Parent: 0x02bd4 Child: 0x00ecc SessionId->1 User Process opera.exe
SeqNo.0371: Parent: 0x033a8 Child: 0x01cb0 SessionId->1 User Process msedgewebview2
SeqNo.0372: Parent: 0x02bd4 Child: 0x00dec SessionId->1 User Process opera.exe
SeqNo.0373: Parent: 0x02bd4 Child: 0x029d8 SessionId->1 User Process opera.exe
SeqNo.0375: Parent: 0x033a8 Child: 0x00b20 SessionId->1 User Process msedgewebview2
SeqNo.0376: Parent: 0x033a8 Child: 0x0300c SessionId->1 User Process msedgewebview2
SeqNo.0377: Parent: 0x033a8 Child: 0x03178 SessionId->1 User Process msedgewebview2
SeqNo.0378: Parent: 0x033a8 Child: 0x03288 SessionId->1 User Process msedgewebview2
SeqNo.0381: Parent: 0x02bd4 Child: 0x0188c SessionId->1 User Process opera.exe
SeqNo.0383: Parent: 0x02bd4 Child: 0x024d8 SessionId->1 User Process opera.exe
SeqNo.0407: Parent: 0x003f4 Child: 0x01da4 SessionId->0 Service Process svchost.exe
SeqNo.0408: Parent: 0x003f4 Child: 0x01a40 SessionId->0 Service Process svchost.exe
SeqNo.0410: Parent: 0x00488 Child: 0x01ec0 SessionId->0 System Process WmiPrvSE.exe
SeqNo.0420: Parent: 0x025a0 Child: 0x01d90 SessionId->1 User Process QtWebEnginePro
SeqNo.0422: Parent: 0x02b4c Child: 0x02958 SessionId->1 User Process AMDRSSrcExt.ex
SeqNo.0435: Parent: 0x02bd4 Child: 0x0129c SessionId->1 User Process opera.exe
SeqNo.0438: Parent: 0x003f4 Child: 0x027d0 SessionId->0 Service Process svchost.exe
SeqNo.0439: Parent: 0x003f4 Child: 0x012e0 SessionId->0 Service Process svchost.exe
SeqNo.0440: Parent: 0x003f4 Child: 0x024d0 SessionId->0 Service Process svchost.exe
SeqNo.0442: Parent: 0x003f4 Child: 0x00f90 SessionId->0 Service Process svchost.exe
SeqNo.0444: Parent: 0x003f4 Child: 0x0087c SessionId->0 Service Process svchost.exe
SeqNo.0445: Parent: 0x00488 Child: 0x02c48 SessionId->1 User Process ShellExperienc
SeqNo.0446: Parent: 0x00488 Child: 0x032a0 SessionId->1 User Process RuntimeBroker.
SeqNo.0452: Parent: 0x003f4 Child: 0x012ac SessionId->0 Service Process svchost.exe
SeqNo.0453: Parent: 0x003f4 Child: 0x014ac SessionId->0 Service Process svchost.exe
SeqNo.0456: Parent: 0x024b0 Child: 0x00ba4 SessionId->1 User Process EpicWebHelper.
SeqNo.0457: Parent: 0x024b0 Child: 0x032dc SessionId->1 User Process EpicWebHelper.
SeqNo.0458: Parent: 0x024b0 Child: 0x02a3c SessionId->1 User Process EpicWebHelper.
SeqNo.0459: Parent: 0x024b0 Child: 0x033f8 SessionId->1 User Process EpicWebHelper.
SeqNo.0460: Parent: 0x024b0 Child: 0x00b0c SessionId->1 User Process EpicWebHelper.