# Processes

## Overview

**Evidence:** Processes\
**Description:** Collect Processes\
**Category:** System\
**Platform:** esxi\
**Short Name:** process\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

On ESXi, process snapshots capture running services and daemons that manage hypervisor operations and virtual machines. This visibility is key for detecting unauthorized services and runtime anomalies.

## Data Collected

This collector gathers structured data about processes.

### Processes Data

| Field            | Description     | Example       |
| ---------------- | --------------- | ------------- |
| `WID`            | WID             | 123           |
| `CID`            | CID             | 123           |
| `Name`           | Name            | Example value |
| `GID`            | GID             | 123           |
| `PGID`           | PGID            | 123           |
| `SID`            | SID             | 123           |
| `PCID`           | PCID            | 123           |
| `Type`           | Type            | Example value |
| `State`          | State           | Example value |
| `Wait`           | Wait            | Example value |
| `CPU`            | CPU             | Example value |
| `Time`           | Time            | Example value |
| `SecurityDomain` | Security Domain | Example value |
| `UserSpace`      | User Space      | Example value |
| `Command`        | Command         | Example value |

## Collection Method

This collector parses a pre-generated detailed process snapshot text file, tokenizes columns, and normalizes per-process attributes including identifiers, state, CPU/time fields, and command line.

## Forensic Value

Process listings reveal active components, potential malicious or misconfigured services, and support timeline correlation with host events and VM operations.