プロフェッショナル向けWindowsシステム分析
||1:lkd> vertarget
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff804`67c00000 PsLoadedModuleList = 0xfffff804`680480b0
Debug session time: Fri Nov 8 09:11:56.153 2019 (UTC + 9:00)
System Uptime: 3 days 13:56:07.992
+0xffffb50aaac68040 Type->02 Signer->07 Critical->0 SubsystemProcess->0 System
+0xffffb50aaadd6040 Type->02 Signer->07 Critical->0 SubsystemProcess->0 Registry
+0xffffb50aac9d6040 Type->01 Signer->06 Critical->1 SubsystemProcess->0 smss.exe
+0xffffb50aae7bf080 Type->01 Signer->06 Critical->1 SubsystemProcess->1 csrss.exe
+0xffffb50ab02a4080 Type->01 Signer->06 Critical->1 SubsystemProcess->0 wininit.exe
+0xffffb50ab02ab3c0 Type->01 Signer->06 Critical->1 SubsystemProcess->1 csrss.exe
+0xffffb50ab02ed2c0 Type->01 Signer->06 Critical->1 SubsystemProcess->0 services.exe
-0xffffb50ab02e90c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 lsass.exe
-0xffffb50ab035e080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0361080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 fontdrvhost.ex
+0xffffb50ab0366080 Type->00 Signer->00 Critical->1 SubsystemProcess->0 svchost.exe
-0xffffb50ab03a64c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 winlogon.exe
-0xffffb50ab0a32480 ProtectionLevel->00 Critical->0 SubsystemProcess->0 fontdrvhost.ex
+0xffffb50ab0a52440 Type->00 Signer->00 Critical->1 SubsystemProcess->0 svchost.exe
-0xffffb50ab0a65080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0aa5080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 dwm.exe
-0xffffb50ab0b53080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0ba1080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0bc6080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0bd5080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0bd4080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0c0b080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0c790c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0c87080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0d7a0c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0d7d080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0d7b080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
+0xffffb50ab0da2040 Type->02 Signer->07 Critical->0 SubsystemProcess->0 MemCompression
+0xffffb50ab0e06080 Type->00 Signer->00 Critical->1 SubsystemProcess->0 svchost.exe
-0xffffb50ab0e07080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0e1b080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0e19080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0e1a080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0e1e080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 WUDFHost.exe
-0xffffb50ab0e80080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0eb40c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0eef080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0ef3080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0ef4080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0f410c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0f97080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0fca080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1023080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab103f0c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaacca0c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaad2f080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaad1e080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaac620c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1168080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab11f50c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 spoolsv.exe
+0xffffb50ab1220080 Type->00 Signer->00 Critical->1 SubsystemProcess->0 svchost.exe
-0xffffb50ab0f2f080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab11f90c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 armsvc.exe
-0xffffb50ab1374300 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab136b0c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab131c080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1388080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1389080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1387080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab134e080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab13c1080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 mqsvc.exe
-0xffffb50ab13c5080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 SMSvcHost.exe
-0xffffb50ab13d0080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 Sysmon.exe
-0xffffb50ab13d3080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
+0xffffb50ab13d90c0 Type->01 Signer->03 Critical->0 SubsystemProcess->0 MsMpEng.exe
-0xffffb50ab13de300 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aae89c080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab13ce080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab16d4080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab178e0c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab17a1080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1b9d080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
+0xffffb50ab19c84c0 Type->01 Signer->03 Critical->0 SubsystemProcess->0 NisSrv.exe
-0xffffb50ab1281080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 sihost.exe
-0xffffb50ab1270080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaccab480 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0ffb080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaccb1080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 taskhostw.exe
-0xffffb50aac647080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaccbc080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 ctfmon.exe
-0xffffb50aac61e080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 explorer.exe
-0xffffb50ab1e8d080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1e93080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aacde8340 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab0a9f080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 StartMenuExper
-0xffffb50aacf2f080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 RuntimeBroker.
-0xffffb50aae165080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 dllhost.exe
-0xffffb50aacca6080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 SearchUI.exe
-0xffffb50ab211b080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 RuntimeBroker.
-0xffffb50ab21bb080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 SecurityHealth
+0xffffb50ab1fe4080 Type->01 Signer->05 Critical->0 SubsystemProcess->0 SecurityHealth
-0xffffb50ab22ab080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 RAVCpl64.exe
-0xffffb50ab1247080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab22dd080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab23c6080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
+0xffffb50ab24bc080 Type->02 Signer->06 Critical->0 SubsystemProcess->0 SgrmBroker.exe
-0xffffb50ab1b95080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
+0xffffb50aae150080 Type->01 Signer->05 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab2384080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 SearchIndexer.
-0xffffb50ab24bb080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab2395080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab23e7080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 ShellExperienc
-0xffffb50ab2db3080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab1b744c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 LockApp.exe
-0xffffb50ab22b4080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 RuntimeBroker.
-0xffffb50ab299d080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50aaccb2080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab37f6080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 SettingSyncHos
-0xffffb50ab2cf7080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab2a2a080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 WindowsInterna
-0xffffb50ab2f46080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab177c080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab3941080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 GameBar.exe
-0xffffb50ab396d0c0 ProtectionLevel->00 Critical->0 SubsystemProcess->0 RuntimeBroker.
-0xffffb50ab41cb240 ProtectionLevel->00 Critical->0 SubsystemProcess->0 GameBarFT.exe
+0xffffb50ab35a60c0 Type->01 Signer->05 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab68cb080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 SecurityHealth
-0xffffb50ab68c2080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab6d21080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 svchost.exe
-0xffffb50ab6b2d080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 WmiPrvSE.exe
-0xffffb50ab3be6240 ProtectionLevel->00 Critical->0 SubsystemProcess->0 windbg.exe
-0xffffb50ab6579080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 notepad.exe
-0xffffb50ab3961080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 ImeBroker.exe
-0xffffb50ab6d2c080 ProtectionLevel->00 Critical->0 SubsystemProcess->0 audiodg.exe
この出力情報は、保護プロセス(Protected Process)に関するものであり、Windowsビルド毎に異なります。情報内にはいろいろなデータ項目が含まれています。システム分析を進める場合には、独自解析コードにIF文などを追加し、情報を絞り切ります。たとえば、「ProtectionLevel->00」の値で必要情報を絞り切ります。次の出力例は、「ProtectionLevel->00」以外のデータを示しています。