Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Win10: System processes are reported with pid and ppid, but with no command or arguments #67

Open
jeghers opened this issue Dec 9, 2017 · 1 comment
Open

Win10: System processes are reported with pid and ppid, but with no command or arguments #67

jeghers opened this issue Dec 9, 2017 · 1 comment

Comments

@jeghers
Copy link

jeghers commented Dec 9, 2017

Here is what I am getting on Windows 10:

{ pid: '0', command: '', arguments: '', ppid: '0' }
{ pid: '4', command: '', arguments: '', ppid: '0' }
{ pid: '412', command: '', arguments: '', ppid: '4' }
{ pid: '580', command: '', arguments: '', ppid: '492' }
{ pid: '684', command: '', arguments: '', ppid: '492' }
{ pid: '692', command: '', arguments: '', ppid: '676' }
{ pid: '760', command: '', arguments: '', ppid: '684' }
{ pid: '792', command: '', arguments: '', ppid: '684' }
{ pid: '864', command: '', arguments: '', ppid: '676' }
{ pid: '968', command: '', arguments: '', ppid: '760' }
{ pid: '996', command: '', arguments: '', ppid: '760' }
{ pid: '1020', command: '', arguments: '', ppid: '864' }
{ pid: '96', command: '', arguments: '', ppid: '684' }
{ pid: '756', command: '', arguments: '', ppid: '760' }
{ pid: '496', command: '', arguments: '', ppid: '760' }
{ pid: '1088', command: '', arguments: '', ppid: '864' }
{ pid: '1184', command: '', arguments: '', ppid: '760' }
{ pid: '1200', command: '', arguments: '', ppid: '760' }
{ pid: '1268', command: '', arguments: '', ppid: '760' }
{ pid: '1340', command: '', arguments: '', ppid: '760' }
{ pid: '1376', command: '', arguments: '', ppid: '760' }
{ pid: '1384', command: '', arguments: '', ppid: '1200' }
{ pid: '1400', command: '', arguments: '', ppid: '760' }
{ pid: '1416', command: '', arguments: '', ppid: '760' }
{ pid: '1424', command: '', arguments: '', ppid: '760' }
{ pid: '1620', command: '', arguments: '', ppid: '760' }
{ pid: '1732', command: '', arguments: '', ppid: '760' }
{ pid: '1772', command: '', arguments: '', ppid: '760' }
{ pid: '1808', command: '', arguments: '', ppid: '760' }
{ pid: '1920', command: '', arguments: '', ppid: '760' }
{ pid: '1972', command: '', arguments: '', ppid: '1200' }
{ pid: '2008', command: '', arguments: '', ppid: '760' }
{ pid: '2020', command: '', arguments: '', ppid: '760' }
{ pid: '1036', command: '', arguments: '', ppid: '760' }
{ pid: '1064', command: '', arguments: '', ppid: '760' }
{ pid: '2076', command: '', arguments: '', ppid: '760' }
{ pid: '2104', command: '', arguments: '', ppid: '760' }
{ pid: '2164', command: '', arguments: '', ppid: '760' }
{ pid: '2216', command: '', arguments: '', ppid: '1036' }
{ pid: '2256', command: '', arguments: '', ppid: '760' }
{ pid: '2420', command: '', arguments: '', ppid: '760' }
{ pid: '2508', command: '', arguments: '', ppid: '760' }
{ pid: '2564', command: '', arguments: '', ppid: '760' }
{ pid: '2596', command: '', arguments: '', ppid: '2508' }
{ pid: '2620', command: '', arguments: '', ppid: '760' }
{ pid: '2628', command: '', arguments: '', ppid: '760' }
{ pid: '2804', command: '', arguments: '', ppid: '760' }
{ pid: '2828', command: '', arguments: '', ppid: '760' }
{ pid: '4672', command: '', arguments: '', ppid: '760' }
{ pid: '4684', command: '', arguments: '', ppid: '760' }
{ pid: '5196', command: '', arguments: '', ppid: '4' }
{ pid: '6012', command: '', arguments: '', ppid: '760' }
{ pid: '6196', command: '', arguments: '', ppid: '996' }
{ pid: '7088', command: '', arguments: '', ppid: '760' }
{ pid: '7660', command: '', arguments: '', ppid: '760' }
{ pid: '7704', command: '', arguments: '', ppid: '760' }
{ pid: '8136',
  command: 'C:\\Program Files (x86)\\HitmanPro.Alert\\hmpalert.exe',
  arguments: [ '/tray' ],
  ppid: '1920' }
{ pid: '8180',
  command: 'C:\\Windows\\TEMP\\DPTF\\esif_assist_64.exe',
  arguments: '',
  ppid: '4084' }
{ pid: '6680',
  command: 'sihost.exe',
  arguments: '',
  ppid: '1772' }
{ pid: '8300',
  command: 'C:\\Windows\\Explorer.EXE',
  arguments: '',
  ppid: '9084' }
{ pid: '9120',
  command: 'igfxEM.exe',
  arguments: '',
  ppid: '9104' }
{ pid: '7908',
  command: 'igfxHK.exe',
  arguments: '',
  ppid: '9104' }
{ pid: '8712',
  command: 'igfxTray.exe',
  arguments: '',
  ppid: '9104' }
{ pid: '9208',
  command: 'c:\\windows\\system32\\svchost.exe',
  arguments: [ '-k', 'unistacksvcgroup', '-s', 'CDPUserSvc' ],
  ppid: '760' }
{ pid: '7084',
  command: 'C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe',
  arguments: '',
  ppid: '4536' }
{ pid: '704',
  command: 'c:\\windows\\system32\\svchost.exe',
  arguments: [ '-k', 'unistacksvcgroup', '-s', 'WpnUserService' ],
  ppid: '760' }
{ pid: '1788', command: '', arguments: '', ppid: '760' }
{ pid: '8332', command: '', arguments: '', ppid: '1620' }
{ pid: '2820',
  command: 'taskhostw.exe',
  arguments: [ '{222A245B-E637-4AE9-A93F-A59CA119A75E}' ],
  ppid: '1620' }
{ pid: '9376', command: '', arguments: '', ppid: '760' }
{ pid: '9660', command: '', arguments: '', ppid: '1232' }
{ pid: '9668', command: '', arguments: '', ppid: '1668' }
{ pid: '9680', command: '', arguments: '', ppid: '1668' }
{ pid: '9812',
  command: 'C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe',
  arguments: [ '-ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca' ],
  ppid: '996' }
{ pid: '10116', command: '', arguments: '', ppid: '760' }
{ pid: '9556',
  command: 'C:\\Windows\\System32\\RuntimeBroker.exe',
  arguments: [ '-Embedding' ],
  ppid: '996' }
{ pid: '1668', command: '', arguments: '', ppid: '760' }
{ pid: '8672',
  command: 'C:\\Program Files\\Windows Defender\\MSASCuiL.exe',
  arguments: '',
  ppid: '8300' }
{ pid: '10784',
  command: 'C:\\Program Files\\Realtek\\Audio\\HDA\\RtkNGUI64.exe',
  arguments: [ '-s' ],
  ppid: '8300' }
{ pid: '11036',
  command: 'C:\\Program Files\\Realtek\\Audio\\HDA\\RAVBg64.exe',
  arguments: [ '/IM' ],
  ppid: '8300' }
{ pid: '11016',
  command: 'C:\\Windows\\system32\\wbem\\unsecapp.exe',
  arguments: [ '-Embedding' ],
  ppid: '996' }
{ pid: '1108', command: '', arguments: '', ppid: '996' }
{ pid: '11280', command: '', arguments: '', ppid: '11268' }
{ pid: '11368',
  command: 'C:\\Program Files\\Alienware\\Command Center\\AWCCServiceController.exe',
  arguments: '',
  ppid: '11292' }
{ pid: '11420', command: '', arguments: '', ppid: '11280' }
{ pid: '11440', command: '', arguments: '', ppid: '11280' }
{ pid: '11500',
  command: 'C:\\Program Files\\Sophos\\Sophos UI\\Sophos UI.exe',
  arguments: [ '/hidden' ],
  ppid: '8300' }
{ pid: '11760', command: '', arguments: '', ppid: '11292' }
{ pid: '11916',
  command: 'C:\\Program Files\\Box\\Box Sync\\BoxSync.exe',
  arguments: [ '-m' ],
  ppid: '8300' }
{ pid: '12072',
  command: 'C:\\Program Files\\iTunes\\iTunesHelper.exe',
  arguments: '',
  ppid: '8300' }
{ pid: '11316', command: '', arguments: '', ppid: '760' }
{ pid: '11628',
  command: 'C:\\Program Files (x86)\\MySQL\\MySQL Notifier 1.1\\MySQLNotifier.exe',
  arguments: '',
  ppid: '8300' }
{ pid: '11712',
  command: 'C:\\Program Files\\Killer Networking\\Killer Control Center\\KillerControlCenter.exe',
  arguments: [ '-minimized' ],
  ppid: '8300' }
{ pid: '12048',
  command: 'C:\\Program Files (x86)\\BeAnywhere Support Express\\GetSupportService_N-Central\\BASupSrvcCnfg.exe',
  arguments: [ '/silent' ],
  ppid: '10052' }
{ pid: '12268',
  command: 'C:\\Program Files\\Box\\Box Sync\\BoxSyncMonitor.exe',
  arguments: [ '-l', '75', '-p', '11916' ],
  ppid: '11916' }
{ pid: '9112',
  command: '\\??\\C:\\Windows\\system32\\conhost.exe',
  arguments: [ '0x4' ],
  ppid: '12268' }
{ pid: '11732',
  command: 'C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe',
  arguments: '',
  ppid: '10052' }
{ pid: '712',
  command: 'C:\\Program Files\\Alienware\\Command Center\\AlienwareAlienFXController.exe',
  arguments: '',
  ppid: '11292' }
{ pid: '1660',
  command: 'C:\\Program Files\\Alienware\\Command Center\\AlienFusionController.exe',
  arguments: '',
  ppid: '712' }
{ pid: '12736',
  command: 'C:\\Program Files\\Alienware\\Command Center\\AWCCApplicationWatcher32.exe',
  arguments: [ '262326' ],
  ppid: '11368' }
{ pid: '12752',
  command: '\\??\\C:\\Windows\\system32\\conhost.exe',
  arguments: [ '0x4' ],
  ppid: '12736' }
{ pid: '12764',
  command: 'C:\\Program Files\\Alienware\\Command Center\\AWCCApplicationWatcher64.exe',
  arguments: [ '262326' ],
  ppid: '11368' }
{ pid: '12776',
  command: '\\??\\C:\\Windows\\system32\\conhost.exe',
  arguments: [ '0x4' ],
  ppid: '12764' }
{ pid: '12568',
  command: 'C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnui.exe',
  arguments: [ '-minimized' ],
  ppid: '10052' }
{ pid: '816', command: '', arguments: '', ppid: '760' }
{ pid: '13788', command: '', arguments: '', ppid: '760' }
{ pid: '6140', command: '', arguments: '', ppid: '760' }
{ pid: '3768', command: '', arguments: '', ppid: '760' }
{ pid: '10024', command: '', arguments: '', ppid: '760' }
{ pid: '14380',
  command: 'c:\\windows\\system32\\svchost.exe',
  arguments: [ '-k', 'unistacksvcgroup' ],
  ppid: '760' }
{ pid: '15196',
  command: 'C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE',
  arguments: '',
  ppid: '8300' }
{ pid: '11256',
  command: 'C:\\Program Files\\Internet Explorer\\iexplore.exe',
  arguments: [ '-startmanager', '-Embedding' ],
  ppid: '996' }
{ pid: '13808',
  command: 'C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE',
  arguments: [ 'SCODEF:11256', 'CREDAT:75009', '/prefetch:2' ],
  ppid: '11256' }
{ pid: '12032',
  command: 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
  arguments: [ '--allow-running-insecure-content', '--disable-web-security' ],
  ppid: '8300' }
{ pid: '14984',
  command: 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
  arguments: 
   [ '--type=crashpad-handler',
     '--user-data-dir=C:\\Users\\Mark Jeghers\\AppData\\Local\\Google\\Chrome\\User Data',
     '/prefetch:7',
     '--monitor-self-annotation=ptype=crashpad-handler',
     '--database=C:\\Users\\Mark Jeghers\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad',
     '--metrics-dir=C:\\Users\\Mark Jeghers\\AppData\\Local\\Google\\Chrome\\User Data',
     '--url=https://clients2.google.com/cr/report',
     '--annotation=channel=',
     '--annotation=plat=Win64',
     '--annotation=prod=Chrome',
     '--annotation=ver=62.0.3202.94',
     '--initial-client-data=0x278,0x27c,0x280,0x274,0x284,0x7ff8d14027e8,0x7ff8d14027a8,0x7ff8d14027b8' ],
  ppid: '12032' }
{ pid: '6044',
  command: 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
  arguments: 
   [ '--type=watcher',
     '--main-thread-id=14628',
     '--on-initialized-event-handle=744',
     '--parent-handle=748',
     '/prefetch:6' ],
  ppid: '12032' }
etc etc etc
@addisonElliott
Copy link

Had something similar happening to me.

The CommandLine field requires elevated permissions for any process that was not started by the current user. Thus, I bet most of these processes are run as the administrator and thus cannot be seen.

This is not the case for ps where the command can always be seen. What I want to do is add two more fields, Name and ExecutablePath that are retrieved and can be searched by that. These two are always available regardless of permission status.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@addisonElliott @jeghers