Processes and Modules
Overview
Evidence: Processes and Modules Description: Collect Process and Modules List Category: System Platform: Windows Short Name: pri Is Parsed: Yes - Process information is parsed into structured tables Sent to Investigation Hub: Yes Collect File(s): No
Background
Windows processes are instances of executing programs. Each process has its own virtual memory space, security context, and system resources. Understanding running processes is fundamental to incident response and threat hunting.
The Process Environment Block (PEB) contains important process information including command line arguments, loaded modules, and environment variables. Windows maintains detailed information about each process including creation time, parent-child relationships, and security identifiers.
Data Collected
Processes Table
ProcessID
Process identifier
1234
ParentID
Parent process identifier
5678
SessionID
Session identifier
1
Object
Kernel object address
0xFFFF8A8012345678
PEB
Process Environment Block address
0x000000007FFD0000
BaseAddress
Base address of the process image
0x00007FF6ABC00000
CreationTime
Process creation timestamp
2023-10-15T14:30:00
Is32Bit
Whether process is 32-bit
TRUE/FALSE
SID
Security identifier
S-1-5-21-...
Username
User account name
DOMAIN\user
Name
Process name
chrome.exe
CommandLine
Full command line
"C:\Program Files\Chrome\chrome.exe" --type=renderer
ProcessPath
Full path to executable
C:\Program Files\Chrome\chrome.exe
BasePriority
Process base priority
8
IsVirtualProcess
Whether process is virtual
FALSE
Process Modules Table
ProcessRowID
Foreign key to process
1
DllPath
Path to loaded module
C:\Windows\System32\kernel32.dll
DllBase
Base address where DLL is loaded
0x00007FFE12340000
EntryPoint
DLL entry point address
0x00007FFE12341000
SizeOfImage
Size of the loaded image
524288
LoadCount
Module load count
1
Process Threads Table
ProcessRowID
Foreign key to process
1
ThreadID
Thread identifier
9876
Win32StartAddress
Win32 start address
0x00007FF6ABC12340
StartAddress
Kernel start address
0x00007FF6ABC12340
CreateTime
Thread creation timestamp
2023-10-15T14:30:05
StackBase
Stack base address
0x0000001234560000
StackLimit
Stack limit address
0x0000001234520000
State
Thread state
5
WaitReason
Reason for waiting
0
BasePriority
Thread base priority
8
Priority
Current priority
8
Process Handles Table
ProcessRowID
Foreign key to process
1
Handle
Handle value
0x1234
HandleType
Type of object
File
HandleName
Name or path of object
\Device\HarddiskVolume3\Windows\System32\kernel32.dll
HandleAccess
Access rights
0x12019F
HandleAttributes
Handle attributes
0
HandleObject
Kernel object address
0xFFFF8A8012345678
Process Arguments Table
ProcessRowID
Foreign key to process
1
File information columns for each argument path found in command line
Collection Method
This collector uses a kernel driver to enumerate running processes and gather detailed information including:
Process list from kernel
Detailed process information via IOCTL calls
Module enumeration from PEB
Thread enumeration
Handle enumeration
Command line parsing to extract file paths
Usage
Process information is fundamental for incident response and threat hunting. Investigators use this data to identify malicious processes, detect process injection, analyze parent-child relationships, identify suspicious command lines, track loaded DLLs, detect thread injection, enumerate open handles to files and registry keys, and establish process execution timelines. This evidence is particularly valuable for detecting living-off-the-land attacks, fileless malware, and process manipulation techniques.
Known Limitations
Only captures processes running at collection time
Requires kernel driver for full details
Not available on ARM64 systems
Some protected processes may have limited information
Current IREC process is excluded from collection
Notes
Process collection uses a custom kernel driver to access low-level process details not available through standard Windows APIs. The driver enables collection of kernel addresses, PEB information, and detailed handle data.
Last updated
Was this helpful?