ComputerSecurityStudent (CSS) [Login] [Join Now]

|FORENSICS >> Process Tools >> Current Page |Views: 30399

(ProcExp: Process Explorer)

{ Viewing Parent and Child Processes }

0. Background Information
    • The Process Explorer display consists of two sub-windows.


    • The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.


    • Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.


    • The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. 


1. Prerequisite
  1. Login to your Instructor VM, as username Administrator
    • For those of you that are not part of this class, this is a Windows XP machines.


  2. From your Instructor VM, open your Windows Explorer Web Browser.
    • Paste in the below link into your web browser.


  3. Click Save


  4. Save to C:\tools\ProcExp


  5. Select Open Folder


  6. Right Click on ProcessExplorer, Extract All


  7. Click Next


  8. Click Next


  9. Click Finished


2. Running ProcessExplorer
  1. Navigate to C:\tools\ProcExp\ProcessExplorer
    • Double Click on procexp.exe


  2. Click Run


  3. Click Agree


  4. Next you will see a screen that looks very similar to the below.


  5. Notice the Parent / Child Process Tree Structure



3. Viewing Process Properties
  1. Scroll Down to lsass.exe
    • Right click on lsass.exe
    • Click on Properties


  2. As you can see lsass.exe is responsible for Net Login
    • From the Services tab, you have the ability to:
      • Stop, Restart and Pause the Process
      • Also you can see who has Permission to Full Control, Read, and Write.
    • Click on Permissions Button.


  3. For each user
    • Make sure only the Administrator User have Full Control, Read, and Write Permission.
    • All other user should only have Read Access, and perhaps special permissions.
    • Goal: We are verifying that only the administrator users have Full Control.


5. Creating a dump
  1. Highlight lsass.exe
    • Right Click on lsass.exe --> Create Dump --> Create Full Dump


  2. Navigate to C:\tools\ProcExp\ProcessExplorer (See Below)
    • Save File as lsass-YYYYMMDD.dmp, where YYYYMMDD is a date field.


  3. Using Windows Explorer, Navigate to C:\tools\ProcExp\ProcessExplorer
    • Proof of Lab: Highlight lsass-YYYYMMDD.dmp, Do a screen print, Paste into word doc, Upload to Moodle.


  4. Special Note (Not required for this lab), for dumping all memory processes.
    • You would highlight System --> Create Dump --> Create Full Dump
    • From a forensics point of view, you would want to capture everything.


Proof of Lab
  1. Cut and Paste a screen shot that looks similar to Step #3 in Section 5 into a word document and upload to Moodle.



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth