Working with Processes and Services

Question 1

What is the basic command for displaying all running processes?

Answer 1

Get-Process

Question 2

What Get-Process parameter is used for filtering process by their name?

Answer 2

Get-Process -Name {process_name}

Get-Process -Name "notepad"

Question 3

What Get-Process parameter is used for retrieving the process with a specific process ID (PID)?

Answer 3

Get-Process -Id {PID}

Get-Process -Id 31132

Question 4

What Get-Process parameter is used to include the user that runs the service?

Answer 4

Get-Process -IncludeUsername {username}

Question 5

What Get-Process parameter is used for

Question 6

You have an IP address of 34.120.241.214 that you find suspicious so you would like to determine which process communicates to that IP address. How would you do it?

Answer 6

C:\Windows\System32>netstat -ano | findstr 34.120.241.214
  TCP    10.43.43.1:55549       34.120.241.214:443     ESTABLISHED     9304

C:\Windows\System32>tasklist | findstr 9304
Evernote.exe                  9304 Console                    2     21,900 K

in CMD

Question 7

What is the very useful CMD command used to display a list of currently running tasks, including services and processes?

Answer 7

tasklist

Question 8

Does tasklist require administrative privileges?

Answer 8

no, it does not typically require administrative privileges to run, making it accessible for general users

Question 9

How to display status for the eventlog service in CMD?

Answer 9

C:\Windows\System32>sc query eventlog

SERVICE_NAME: eventlog
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Question 10

Which command is used in PowerShell to provide a list of services?

Answer 10

Get-Service

Question 11

How to use tasklist to display only running processes?

Answer 11

tasklist /FI "STATUS eq running"

Question 12

How to export a table of running processes to CSV file in CMD?

Answer 12

tasklist /FI "STATUS eq running" /FO CSV > C:\Users\jan\Desktop\running_tasks.csv

Question 13

How to display all tasks that have DLL modules loaded in them with tasklist?

Answer 13

tasklist /M

Question 14

How to use tasklist to determine which services are running under which instances of svchost.exe and other host processes?

Answer 14

tasklist /svc

Question 15

How to display detailed information about the listed tasks, including the session number, session name, memory usage, etc. with tasklist?

Answer 15

tasklist /V

Question 16

What is the Window Title column in the output of the tasklist /V command?

Answer 16

• title of the window associated with each process, if applicable
• particularly relevant for processes that have a user interface with a visible window
• when a process has a graphical user interface (GUI) with an open window, the “Window Title” column shows the title of that window

the window title might be the name of the opened Word document

Question 17

How to check which processes are running with elevated privileges in Windows?

Answer 17

Task Manager > Details > right click on a column > Select Columns > Elevated

Question 18

How to filer out lines that have “N/A” value in the Window Title in tasklist /v command?

Answer 18

tasklist /V | findstr /V /C:"N/A"
<br></br>
* tasklist /V generates the verbose list of tasks.
* | pipes the output of tasklist to findstr.
* findstr /V is used to print only lines that do not contain the specified string.
* /C:”N/A” specifies the string to exclude, in this case, “N/A”.

Question 19

What is the purpose of the Session Name column in the tasklist output?

Answer 19

provide information about the type of session in which a process is running

Question 20

If the value of the Session Name column is Services for a process, what does it mean?

Answer 20

• process is running in Session 0, which is reserved for system services and other non-interactive processes
• typically system-level processes, background services, and drivers that do not interact directly with the user interfac

Question 21

If the value of the Session Name column is Console for a process, what does it mean?

Answer 21

interactive user session - indicates that the process is part of a user session, where it can interact with the user interface and the logged-in user can interact with the process

Question 22

How to display all running process and their process name, process ID, the user running the process, when the process started, and the path of the executable file sorted by the start time?

Answer 22

Get-Process -IncludeUserName | Select-Object Name, ID, UserName, StartTime, Path | Sort-Object StartTime