Question

Follow the instructions on picture  for the Examine Running Processes project. Include screen prints of steps 3, 4, 5 and 6, with your assignment.

please help me with i don't have windows .

Project 9-2: Examine Running Processes In this project you will examine running processes on your system. Download Process Explorer from technet.microsoft.com 1. 2. Run Process Explorer on your Windows system. 3. In the main view, click the Process column header until you see a hier- archical view of the running processes on your system. What does this view depict? 4. Click View > Show Lower Pane, then View > Lower Pane View> Handles. Then click on different processes in the upper pane. What does this view depict? View the available data on the different tabs. What do they show? 6. (For advanced users) Click Find, then click Find Handle or DLL. In th search field, type procexp.exe. Click different entries in the result and notice what is happening in the main Process Explorer window. What is Process Explorer showing you? On Linux systems, the System Monitor tool shows running processes. On Mac systems, Activity Monitor shows running processes NOTE

Answer 1

Answer 3
**********
it shows parent process with under its running child processes.

File Options View Process Find Users Help CPU Private Bytes Working Set PID Description Company Name System Ide Process ESystem Intemupts 83 63 212 K 10.272 K 0K n/a Hardware Intemupts and DPCs 212 K 672 504 K 2436 K 260,652 K 3348 1,872 K 1,332 K 7,652 K 980 K 2.156K 912 32 K 452 6.512K 688 244 K 1092 Host Process for Windows S.,隡crosoft Corporation 28,776K 1116 Host Process for Windows S... Microsoft Corporation 66.268 K 22.968 K 7600 Auntime Broker 7.588 K 4032 Auntime Broker 25,984 K 9820 Auntime Broker winint.exe svchost.exe svchost.exe 25.184 K 165 376 K 12.596 K 7,720 K Microsoft Corporation Microsoft Corporation 12 464 K 4.464 K 2.712 K Cast Srv.exe dhost e WmiPrvSE exe 5.952 K 12256 Casting profocol connection L... Mcrosoft Corporation 6.080 K 13104 COM Surmrogate 4.840 K 7128 Microsoft Corporation 4,732 K 15,828 K 8.580 K 6.768 K 2460 K 0.140 K 7792 Auntime Broker 12,776K 7444 COM Surrogate 1840 K 8328 Edlhost exe 16,164 K CSystemSettings exe Sus21,124 K Microsoft Photos exe Susp82.808 20.144 K 14.640 K 22 680 K 2838 Application Frame 800 K 1624 Settings K61,3763088 26 344 K 13332 Auntime Broker 6128 Windows Explorer 5580 K 96 868 K 19,156 K 2216 K 11,344 K 7.172 K 2572 K 9 976 K 3.548 K 3.996 K 37.384 K 7.900 K 20828 WmiPry SE exe 29 548 K 21.996 Kl 04 Autim 1.116K 1156 11,860 K 1252 Host Process for Windows S.. Microscft Corporation 4092 K 1360 Host Process for Windows S.,隡crosoft Corporation 4.116K 1540 Host Process for Windows S... Microscft Corporation 1.648 K 1588 Host Process for Windows S... Microscft Corporation 2,864 K 1596 Host Process for Windows S.,隡crosoft Corporation WUDFHost exe svchost.exe svchost.exe svchost.exe svchost.exe svchost exe 1.828 K 2.516 K CPU Usage: 16.37% Commit Charge: 74.53% Processes: 210 Physical Usage: 50.41% ENG 302 PM

Process Explorer-Sysinternals: www.sysinternals.com [MADHAV Administrator] File Options View Process Find Handle Users Help System Information.. Ctri+I Process Company Name Show Process Tree Ctri T Show Column Heatmaps System Idle System IrtemupShow Unnamed Handles and Mappings Scroll to New Processes a Hardware Intemupts and DPCs 72 Show Processes From All Users Memor Opacity winint.exe 52 eservice Show Lower Pane Ctri-L svc Lower Pane View DLLs Ctri D Handles Ctrl-H Refresh Now F5 Update Speed Runtime Broker Microsaft Corporation Microsaft Corporation Runtime Broker Organize Column Set... Casting profocol connection .. Microsoft Corporation 4 COM Surrogate Save Column Set... Microsaft Corporation Load Column Set Type Select Columns... CPU Usage: 15.15% Commit Charge: 74.62% Processes: 211 Physical Usage: 49.85% 3:03 PM 31/05/2019 2

Process Explorer-Sysínternals: www.sysinternals.com [ rator] File Options View Process Find Handle Users Help CPU Privats Working Set PID Descrpton Company Name 848 K 52 K 212 K 0 K 504 K 2436 K 284 336 K 1,872 K 1,332 K 7,660 K 980 K 25 216 K 165 376 K 12 596 K 12,728 K 96 Registry ii Sy啮erm Ide Process ESystem Intemupts 81.16 8 K 10.272 K 4 1.25 0K n/a Hardware Intemupts and DPCs 212 K 672 Memory Compression 001 3348 912 452 688 1092 Host Process for Windows S., 2.164K 32 K 6.520 K 244 K 0.01 winint.exe 003 eservices exe svchost.exe svchost.exe 隡crosoft Corporation crosoft Corporation 001 28,812 K 1 116 Host Process for Windows S. 66.268 K 22.964 K 7600 Auntime Broker 588 K 4032 Funtime Broker 5.984 K 9820 Runtime Broker 12464 K Cast Srv.exe K 5.956 K 12256 Casting protocol connection !.. Microsoft Corporation 4.464 Cdlhost exe SE 2,712 K 6.080 K 13104 COM Surmrogate Microsoft Corporation K-3916 K Type ALPC Port DDC100A54378AE388E3E BaseNamedobjects CoreUjPID4032 TID(10000) 151341b-60b3-47ad-9b1d-5bi69a43.. ALPC Port Event Sessions1 s SubscribedContent-314559 Sesaions1BaseNamedObjects SubscnbedContent-338383 C:Windows System32 Device CNG Fle C:Windows\RegistrationR000000000015 cb C:Wndows System32 en-US Keme Base dl mu Device DeviceApi Device Harddisk Volume2 C:Windows System 32 en-USwindows.storage dl mu C:WndowsinSxSamd64 microsoft.windows.common-controls 6595b64144ccfldf 6.0... Fle Fle Fle Fle Device KsecDD Fle C:Windows WinSxS amd64 microsoft windows 6595b64144ccfldf 6.0 CPU Usage: 18.84% Commit Charge: 74.65% Processes: 211 Physical Usage: 49.98% ENG 304 PM 31/05/2019 2

Process Explorer-Sysínternals: www.sysinternals.com [ File Options View Process Find Handle Users Help CPU Privat BysWorking Set PID Descption Company Name 860 K 12,752K 96 8 K 10.272 K 4 0K n/a Hardware Intemupts and DPCs 212 K 672 3348 2.160K 912 32 K 452 6.516K 688 244 K 1092 Host Process for Windows S... Microsoft Corporation 28,796K 1116 Host Process for Windows S... Microsoft Corporation 66.268 K 22.952 K 7600 Auntime Broker 588 K 4032 Funtime Broker 80.12 0 63 1.09 52 K 212 K 0 K 504 K 2436 K 282 120 K 1,872 K 1,332 K 7656 K 980 K ESystem winint.exe 006 eservices exe 25.192 K 165 376 K 12 528 K 5.984 K 9820 Runtime Broker 12464 K K 5.956 K 12256 Casting protocol connection !.. Microsoft Corporation 2.712 K K5.956 K 12256 Caking protocal connection !. .Mcros 4.464 6.080 K 13104 COM Surmrogate Microsoft Corporation Type C."ProgramData Mcrosoft "Windows Caches cversions.2ro Sessions 1 BaseNamedObjectsVC.ProgramData Mcrosoft"Windows Caches'eversions.2ro sC"ProgramData Microsoft Windows Caches cversions 2ro C"ProgramData Mcrosoft Windows Caches TOA17230B C"ProgramData Mcroeoft Windows Caches 158AB68BD Sessions1 Sessions1 s SM0:4032:304:WStaging_02_D aLSM0:4032:304:WStaging 02 pOh Sessions 1 sISM0:4032:120:WIEmor 01 p0 s SM0:4032:120:WIEmor 01 p0h RuntimeBroker.exe(4032): 10000 WindowStation Sessions1 Windows WindowStations WinSta0 WindowStationSessionsIWindows Window StationsWinSta0 9 CPU Usage: 19.88% Commit Charge: 74.70% Processes: 210 Physical Usage: 49.89% ENG 305 PM 31/05/2019 U: 2.5 K

Answer 4
*********
That will show the process which accessed files and resources and registry semaphore status and critical section details.

Process Explorer-Sysinternals: www File Options View Process Find Handle Users Help CPU Pitvate Bytes Working Set PID 12.760K 6RuntimeBroker.exe:4032 Properties 872K 7451 0.77 0 95 ESystem 212 K 10.272 K 4 0K n Threads TCPTP Security Environment Job Strings Performance Graph GPU Graph 504 K 2436 K 1,872 K 1,332 K 7656 K 980 K 212 K 282 056K 672 3348 001 001 Image Fle 2.156K 912 32 K 452 6.516K 688 244 K 1092 28,796 K 1116 66.268 K 22.952K 7600 Runtime Broker (Microsoft. Windows.ShelExperienceHost 10 winint.exe 003 Version: 10.0.17134.1 Build Tme: 25.192 K 165 376 K 12.528 K C:Windows'System32 RuntimeBroker.exe 17.588 K 4032 25,984 K 9820 5.956 K 12256 ,080 K 13104 Command ine: 12464 K C:Windows System32 RuntimeBroker.exe -Embedding 4.464 K 2.712 K Current directory: C:Windows System32 Type Autostart Location Sesaions 1 C."ProgramData Mcrosoft "Windowa Sessions1 Sessions1 sC."ProgramData Microsoft Windows C ProgramData "Mcrosoft 'Windows C.ProgramData Mcrosoft Windows Parent: svchost.exe (1116) rator to Front Started: 2:38:16 AM 16/05/2019 Image: 64-bit windows ie global_counters s SM0:4032:304:WStaging_02_D a'SM0:4032:304 Staging-02 h s ComTaskPool:4032 sISM0:4032:120:WIEmor 01 p0 s SM0:4032:120:WIEmor 01 p0h Sessions 1 Data Exeaution Prevention (DEP) Status: Enabled (permanent) Sessions Address Space Load Randomization: High-Entropy, Bottom-Up, Force-Rel Control Flow Guard: Enterprise Context: RuntimeBroker.exe(4032): 10000 WindowStation Sessions1 Windows WindowStations WinSta0 WindowStationSessionsIWindows Window StationsWinSta0 9 CPU Usage: 25.49% Commit Charge: 74.66% Processes: 209 Physical Usage: 50.02% ENG 305 PM 31/05/2019

Process Explorer- Sysinternals: www File Options View Process Find Handle Users Help CPU Pivatyes Working Set PID 14.408 K 96 | 972 K RuntimeBroker.exe:4032 Properties 7801 GPU Graph ESystem 212 K 10.272 K 4 0K n 0 92 ThreadsTCP/PSerity Environment Job Strings 504 K 2436 K 1,872 K 1,332 K 7,660 K 980 K 212 K 280.552 K 672 3348 Count: 5 001 2.156K 912 32 K 452 6.520 K 688 244 K 1092 28,796 K 1116 TID CPU Cycles Deta Suspend Count Start Address winint.exe nputhost di Creat 003 9428 ntdl diRtiRelease windows.storage.d.. ntdl di RtlRelease.. 25,164 K 165 376 K 2024 66268 K 24448 22.956 K 7600 17.632 K 4032 25,984 K 9820 5.956 K 12256 ,080 K 13104 12.528 K 12464 K 4.464 K 2.712 K Type C."ProgramData Mcrosoft "Windowa Sessions1 Sessions1 sC."ProgramData Microsoft Windows C ProgramData "Mcrosoft 'Windows C.ProgramData Mcrosoft Windows windows ie global_counters 2:38:16 AM 16/05/2019 s SM0:4032:304:WStaging_02_D aLSM0:4032:304:WStaging 02 pOh s ComTaskPool:4032 sISM0:4032:120:WIEmor 01 p0 s SM0:4032:120:WIEmor 01 p0h Wait:UserRequest Bse Prionity Kemel Tme: Dynamic Priority:8 Sessions 1 User Tme: 0:00:00.031 L/O Priority: Sessions Context Swtches: 10,436 Memory Priority:5 Ideal Processor: 1 Cydles: 1,454,254,706 RuntimeBroker.exe(4032): 10000 WindowStation Sessions1 Windows WindowStations WinSta0 WindowStationSessionsIWindows Window StationsWinSta0 9 CPU Usage: 21.99% Commit Charge: 74.71% Processes: 209 Physical Usage: 50.12% ENG 3:09 PM

Answer 5
**********
from where this process is being executed (path).

any network connection if it has established for communicaiton.

security for which user is authenticated or not and under which group it belongs to.

performance graph of the process from starting till running.

cpu graph will show the how much cpu usage of that prcess.

string that inside that exe file contains.

Threads how many threads are created under that porcess.

Process Explorer-Sysínternals: www.sysinternals.com [MADHA Administrator] File Options View Process Find Handle Users Help dlal □E Find Handle or DLL Ctrl+F CPU Pivate Bytes Working Set PID Descrtption Company Name 1.136 K 14,712K 96 8 K 10.272 K 4 0K n/a Hardware Intemupts and DPCs 212 K 672 3348 78 53 1.30 52 K 212 K 0 K 504 K 2436 K 280.496K 1,924 K 1,332 K 7,652 K 980 K ESystem 001 0.01 2.172K 912 32 K 452 6.512K 688 244 K 1092 Host Process for Windows S... Microsoft Corporation 28,948 K 1116 Host Process for Windows S. crosoft Corporation winint.exe 001 eservices exe 25,336 K 165 376 K 12 528 K 0 86 66268 K 22.940 K 7600 Auntime Broker 7632 K 4032 Runtime Broker 5.984 K 9820 Runtime Broker 12464 K K 5.956 K 12256 Casting protocol connection !.. Microsoft Corporation 2.712 K K5.956 K 12256 Caking protocal connection !. .Mcros 4.464 6.080 K 13104 COM Surmrogate Microsoft Corporation Type C."ProgramData Mcrosoft "Windows Caches cversions.2ro Sessions 1 BaseNamedObjectsVC.ProgramData Mcrosoft"Windows Caches'eversions.2ro sC"ProgramData Microsoft Windows Caches cversions 2ro C"ProgramData Mcrosoft Windows Caches TOA17230B C"ProgramData Mcroeoft Windows Caches 158AB68BD Sessions1 Sessions1 s SM0:4032:304:WStaging_02_D aLSM0:4032:304:WStaging 02 pOh Sessions 1 sISM0:4032:120:WIEmor 01 p0 s SM0:4032:120:WIEmor 01 p0h RuntimeBroker.exe(4032): 10000 WindowStation Sessions1 Windows WindowStations WinSta0 WindowStationSessionsIWindows Window StationsWinSta0 9 CPU Usage: 21.47% Commit Charge: 74.88% Processes: 210 Physical Usage: 50.11% ENG 3:09 PM 31/05/2019 2 4.6 K

Process Explorer- Sysinternals: www rator File Options View Process Find Handle Users Help CPU Privats Working Set PID Descrpton Company Name 1.124 K 14,700 K 96 Registry System Idle Process ESystem 81.70 52 K 8 K Process Explorer Search Handle or DLl substring: procexp.exe Search Process PID Type Name Type Section C."ProgramData Mcrosoft "Windows Caches cversions.2ro Sessions 1 BaseNamedObjectsVC.ProgramData Mcrosoft"Windows Caches'eversions.2ro sC"ProgramData Microsoft Windows Caches cversions 2ro C"ProgramData Mcrosoft Windows Caches TOA17230B C"ProgramData Mcroeoft Windows Caches 158AB68BD Section Section Sessions1 Sessions1 Sesaions 1 Section Section Section Sessions1 Sessions1 windows ie global_counters s SM0:4032:304:WStaging_02_D aLSM0:4032:304:WStaging 02 pOh s ComTaskPool:4032 sISM0:4032:120:WIEmor 01 p0 s SM0:4032:120:WIEmor 01 p0h Sessions 1 Sessions RuntimeBroker.exe(4032): 3972 RuntimeBroker.exe 4032): 2024 Furtime Broker exe(4032): 10000 RuntimeBroker exe(4032) 10000 RuntimeBroker.exe(4032): 10000 RuntimeBroker.exe 4032): 24448 WindowStation Sessions1 Windows WindowStations WinSta0 WindowStationSessionsIWindows Window StationsWinSta0 Thread CPU Usage: 18.30% Commit Charge: 75.02% Processes: 210 Physical Usage: 50.27% Paused ENG3/05/2019 3:10 PM

Answer 6
************

i have win 64 bit so procexp64.exe is used so i search using this name

Process Explorer- Sysinternals: www File Options View Process Find Handle Users Help CPU Private Bytes Working Set PID Description Company Name 3040 K 1 1 884 Windows Defender notficati crosoft Corporation NVIDIA 3852 K 12116 Reatek HD Audio Process Explorer Search 15.968 К 12272 Networx Handle or DLL substring: procexp64. exe PID Type Name Process 042 273,168 K 241,144 K 10872 Google Chrome explorer exe 8284 Thread procexp64.exe 17536): 24008 explorer.exe 8284 Process procexp64 exe(17536) procexp64.e... 17536 DLL CWindows procexp64 exe 572 K 15708 Googe 17536 372 444 K 208,396 K 10904 Google Chrome 4 matching items. cNon -existent Process21552): 24124 Non existent Process>(1656 13852 cNon-exdstent Proces12416): 18604 CPU Usage: 15.03% Commit Charge: 74.32% Processes: 209 Physical Usage: 48.93% Paused 3:12 PM ^눋脈4) ENG 31/05/2019

Process Explorer- Sysinternals: www File Options View Process Find Handle Users Help CPU Private Bytes Working Set PID Description Company Name 644 K 8284 Windows 3040 K 1 1 884 Windows Defender notficati crosoft Corporation 6,692 K 12020 NVIDIA Backend 3852 K 12116 Reatek HD Audio 2944 K 12220 HD Audo 15,968 K 12272 NetWork 2052 K 11812 HD Audio 2500 K 11840 Advanced 17,268 K 5632 hteret DownloadH |Process 14.872 K 4.700 K 6.336 K 19,156 K 4.692 K 26.036 K Process Explorer Search RAVBg64 exe Handle or DLL substring: procexp64. exe IDMan exe IEMonitor.exe 曰@chrome exe 19,884 K 11.440 K PID Type Name 1.232 K 11504 htemet Download 042 273,168 K 241,144 K 10872 Google Chrome explorer exe 8284 Thread procexp64.exe 17536): 24008 explorer.exe 8284 Process procexp64 exe(17536) .. 17536 DLL CWindows procexp64 exe procexp64.e.. 17536 Thread procexp64 exe(17536): 24008 procexp64.e 17536 Thread procexp64.exe 17536): 24556 procexp64.... 17536 Thread procexp64 exe(17536): 24008 procexp64.e... 17536 Thread procexp64 exe(17536): 24008 2.184 K 2024 K 153400 K 2.100 K 19820 Google Chrome 572K 15708 Googie Chrome procexp64.e 5,796 K 21480 Google Chrome 208,396 K 10904 Google Chrome 11.316 K 11328 Googe Chrome 44 564 K 372 444 K 47.124 K AAK50ORK 19144 Gonele Type procexp64.... 17536 Thread procexp64 exe(17536): 17060 procexp64.e... 17536 Thread procexp64 exe(17536): 22472 procexp64.e.. 17536 Thread procexp64 exe(17536): 17060 procexp64.e 17536 Thread procexp64.exe 17536): 26376 procexp64.... 17536 Thread procexp64 exe(17536): 8920 procexp64.e... 17536 Thread procexp64 exe(17536): 11600 procexp64.e.. 17536 Thread procexp64 exe(17536): 4936 explorer exe(8284): 15096 explorer exe(8284): 22468 explorer exe(8284): 21404 cNon -existent Process21552): 24124 explorer exe(8284): 9544 explorer exe(8284): 22300 cNon-existent Process 14496 12624 cNon-existent Process>23408): 17728 cNon-exdstent Proces85220) 19960 explorer exe(8284): 12748 explorer exe(8284): 22468 Non existent Process>(1656 13852 explorer exe(8284): 12940 〈Non-existent Processx1 2084) 24564 explorer exe(8284): 23156 explorer exe(3284): 16524 cNon-exdstent Proces12416): 18604 explorer exe(8284): 13716 17 matching items. «Nonexistent Process 1 CPU Usage: 15.03% Commit Charge: 74.32% Processes: 209 Physical Usage: 48.93% Paused 40 ENG 3:13 PM

if you have any doubt then please ask me without any hesitation in the comment section below , if you like my answer then please thumbs up for the answer , before giving thumbs down please discuss the question it may possible that we may understand the question different way and we can edit and change the answers if you argue, thanks :)